Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .buildkite/ftr_platform_stateful_configs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -317,6 +317,7 @@ enabled:
- x-pack/test/security_api_integration/saml.http2.config.ts
- x-pack/test/security_api_integration/saml_cloud.config.ts
- x-pack/test/security_api_integration/chips.config.ts
- x-pack/test/security_api_integration/features.config.ts
- x-pack/test/security_api_integration/session_idle.config.ts
- x-pack/test/security_api_integration/session_invalidate.config.ts
- x-pack/test/security_api_integration/session_lifespan.config.ts
Expand Down
2 changes: 2 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
Expand Up @@ -466,6 +466,7 @@ examples/feature_control_examples @elastic/kibana-security
examples/feature_flags_example @elastic/kibana-core
x-pack/test/plugin_api_integration/plugins/feature_usage_test @elastic/kibana-security
x-pack/plugins/features @elastic/kibana-core
x-pack/test/security_api_integration/plugins/features_provider @elastic/kibana-security
x-pack/test/functional_execution_context/plugins/alerts @elastic/kibana-core
examples/field_formats_example @elastic/kibana-data-discovery
src/plugins/field_formats @elastic/kibana-data-discovery
Expand Down Expand Up @@ -778,6 +779,7 @@ x-pack/plugins/searchprofiler @elastic/kibana-management
x-pack/test/security_api_integration/packages/helpers @elastic/kibana-security
x-pack/packages/security/api_key_management @elastic/kibana-security
x-pack/packages/security/authorization_core @elastic/kibana-security
x-pack/packages/security/authorization_core_common @elastic/kibana-security
x-pack/packages/security/form_components @elastic/kibana-security
packages/kbn-security-hardening @elastic/kibana-security
x-pack/plugins/security @elastic/kibana-security
Expand Down
31 changes: 30 additions & 1 deletion oas_docs/bundle.json
Original file line number Diff line number Diff line change
Expand Up @@ -40978,7 +40978,28 @@
"/api/security/role": {
"get": {
"operationId": "%2Fapi%2Fsecurity%2Frole#0",
"parameters": [],
"parameters": [
{
"description": "The version of the API to use",
"in": "header",
"name": "elastic-api-version",
"schema": {
"default": "2023-10-31",
"enum": [
"2023-10-31"
],
"type": "string"
}
},
{
"in": "query",
"name": "replaceDeprecatedPrivileges",
"required": false,
"schema": {
"type": "boolean"
}
}
],
"responses": {},
"summary": "Get all roles",
"tags": [
Expand Down Expand Up @@ -41051,6 +41072,14 @@
"minLength": 1,
"type": "string"
}
},
{
"in": "query",
"name": "replaceDeprecatedPrivileges",
"required": false,
"schema": {
"type": "boolean"
}
}
],
"responses": {},
Expand Down
20 changes: 19 additions & 1 deletion oas_docs/output/kibana.staging.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40578,7 +40578,20 @@ paths:
/api/security/role:
get:
operationId: '%2Fapi%2Fsecurity%2Frole#0'
parameters: []
parameters:
- description: The version of the API to use
in: header
name: elastic-api-version
schema:
default: '2023-10-31'
enum:
- '2023-10-31'
type: string
- in: query
name: replaceDeprecatedPrivileges
required: false
schema:
type: boolean
responses: {}
summary: Get all roles
tags:
Expand Down Expand Up @@ -40629,6 +40642,11 @@ paths:
schema:
minLength: 1
type: string
- in: query
name: replaceDeprecatedPrivileges
required: false
schema:
type: boolean
responses: {}
summary: Get a role
tags:
Expand Down
20 changes: 19 additions & 1 deletion oas_docs/output/kibana.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40578,7 +40578,20 @@ paths:
/api/security/role:
get:
operationId: '%2Fapi%2Fsecurity%2Frole#0'
parameters: []
parameters:
- description: The version of the API to use
in: header
name: elastic-api-version
schema:
default: '2023-10-31'
enum:
- '2023-10-31'
type: string
- in: query
name: replaceDeprecatedPrivileges
required: false
schema:
type: boolean
responses: {}
summary: Get all roles
tags:
Expand Down Expand Up @@ -40629,6 +40642,11 @@ paths:
schema:
minLength: 1
type: string
- in: query
name: replaceDeprecatedPrivileges
required: false
schema:
type: boolean
responses: {}
summary: Get a role
tags:
Expand Down
2 changes: 2 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -522,6 +522,7 @@
"@kbn/feature-flags-example-plugin": "link:examples/feature_flags_example",
"@kbn/feature-usage-test-plugin": "link:x-pack/test/plugin_api_integration/plugins/feature_usage_test",
"@kbn/features-plugin": "link:x-pack/plugins/features",
"@kbn/features-provider-plugin": "link:x-pack/test/security_api_integration/plugins/features_provider",
"@kbn/fec-alerts-test-plugin": "link:x-pack/test/functional_execution_context/plugins/alerts",
"@kbn/field-formats-example-plugin": "link:examples/field_formats_example",
"@kbn/field-formats-plugin": "link:src/plugins/field_formats",
Expand Down Expand Up @@ -797,6 +798,7 @@
"@kbn/searchprofiler-plugin": "link:x-pack/plugins/searchprofiler",
"@kbn/security-api-key-management": "link:x-pack/packages/security/api_key_management",
"@kbn/security-authorization-core": "link:x-pack/packages/security/authorization_core",
"@kbn/security-authorization-core-common": "link:x-pack/packages/security/authorization_core_common",
"@kbn/security-form-components": "link:x-pack/packages/security/form_components",
"@kbn/security-hardening": "link:packages/kbn-security-hardening",
"@kbn/security-plugin": "link:x-pack/plugins/security",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,28 @@ import { KbnClient } from '@kbn/test';
export class Role {
constructor(private log: ToolingLog, private kibanaServer: KbnClient) {}

public async get(
name: string,
{ replaceDeprecatedPrivileges = true }: { replaceDeprecatedPrivileges?: boolean } = {}
) {
this.log.debug(`retrieving role ${name}`);
const { data, status, statusText } = await this.kibanaServer
.request({
path: `/api/security/role/${name}?replaceDeprecatedPrivileges=${replaceDeprecatedPrivileges}`,
method: 'GET',
})
.catch((e) => {
throw new Error(util.inspect(e.axiosError.response, true));
});
if (status !== 200) {
throw new Error(
`Expected status code of 200, received ${status} ${statusText}: ${util.inspect(data)}`
);
}

return data;
}

public async create(name: string, role: any) {
this.log.debug(`creating role ${name}`);
const { data, status, statusText } = await this.kibanaServer
Expand Down
4 changes: 4 additions & 0 deletions tsconfig.base.json
Original file line number Diff line number Diff line change
Expand Up @@ -926,6 +926,8 @@
"@kbn/feature-usage-test-plugin/*": ["x-pack/test/plugin_api_integration/plugins/feature_usage_test/*"],
"@kbn/features-plugin": ["x-pack/plugins/features"],
"@kbn/features-plugin/*": ["x-pack/plugins/features/*"],
"@kbn/features-provider-plugin": ["x-pack/test/security_api_integration/plugins/features_provider"],
"@kbn/features-provider-plugin/*": ["x-pack/test/security_api_integration/plugins/features_provider/*"],
"@kbn/fec-alerts-test-plugin": ["x-pack/test/functional_execution_context/plugins/alerts"],
"@kbn/fec-alerts-test-plugin/*": ["x-pack/test/functional_execution_context/plugins/alerts/*"],
"@kbn/field-formats-example-plugin": ["examples/field_formats_example"],
Expand Down Expand Up @@ -1550,6 +1552,8 @@
"@kbn/security-api-key-management/*": ["x-pack/packages/security/api_key_management/*"],
"@kbn/security-authorization-core": ["x-pack/packages/security/authorization_core"],
"@kbn/security-authorization-core/*": ["x-pack/packages/security/authorization_core/*"],
"@kbn/security-authorization-core-common": ["x-pack/packages/security/authorization_core_common"],
"@kbn/security-authorization-core-common/*": ["x-pack/packages/security/authorization_core_common/*"],
"@kbn/security-form-components": ["x-pack/packages/security/form_components"],
"@kbn/security-form-components/*": ["x-pack/packages/security/form_components/*"],
"@kbn/security-hardening": ["packages/kbn-security-hardening"],
Expand Down
9 changes: 2 additions & 7 deletions x-pack/packages/security/authorization_core/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,5 @@
*/

export { Actions } from './src/actions';
export { privilegesFactory } from './src/privileges';
export type {
CasesSupportedOperations,
PrivilegesService,
RawKibanaPrivileges,
RawKibanaFeaturePrivileges,
Comment on lines -13 to -14
Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: these types have been moved to "common" types packages.

} from './src/privileges';
export { privilegesFactory, getReplacedByForPrivilege } from './src/privileges';
export type { CasesSupportedOperations, PrivilegesService } from './src/privileges';
Original file line number Diff line number Diff line change
Expand Up @@ -51,3 +51,21 @@ describe('#get', () => {
);
});
});

test('#isValid', () => {
const alertingActions = new AlertingActions();
expect(alertingActions.isValid('alerting:foo-ruleType/consumer/alertingType/bar-operation')).toBe(
true
);

expect(
alertingActions.isValid('api:alerting:foo-ruleType/consumer/alertingType/bar-operation')
).toBe(false);
expect(alertingActions.isValid('api:foo-ruleType/consumer/alertingType/bar-operation')).toBe(
false
);

expect(alertingActions.isValid('alerting_foo-ruleType/consumer/alertingType/bar-operation')).toBe(
false
);
});
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,12 @@ export class AlertingActions implements AlertingActionsType {

return `${this.prefix}${ruleTypeId}/${consumer}/${alertingEntity}/${operation}`;
}

/**
* Checks if the action is a valid alerting action.
* @param action The action string to check.
*/
public isValid(action: string) {
return action.startsWith(this.prefix);
}
}
12 changes: 12 additions & 0 deletions x-pack/packages/security/authorization_core/src/actions/ui.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,15 @@ describe('#get', () => {
expect(uiActions.get('foo', 'fooCapability', 'subFoo')).toBe('ui:foo/fooCapability/subFoo');
});
});

test('#isValid', () => {
const uiActions = new UIActions();
expect(uiActions.isValid('ui:alpha')).toBe(true);
expect(uiActions.isValid('ui:beta')).toBe(true);

expect(uiActions.isValid('api:alpha')).toBe(false);
expect(uiActions.isValid('api:beta')).toBe(false);

expect(uiActions.isValid('ui_alpha')).toBe(false);
expect(uiActions.isValid('ui_beta')).toBe(false);
});
8 changes: 8 additions & 0 deletions x-pack/packages/security/authorization_core/src/actions/ui.ts
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,12 @@ export class UIActions implements UIActionsType {

return `${this.prefix}${featureId}/${uiCapabilityParts.join('/')}`;
}

/**
* Checks if the action is a valid UI action.
* @param action The action string to check.
*/
public isValid(action: string) {
Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: it's necessary to filter out non-UI actions when complementing actions of the registered deprecated features with the UI actions of the replacement features. This ensures that user roles with deprecated privileges can toggle capabilities exposed by the replacement privileges.

return action.startsWith(this.prefix);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,4 @@

export type { PrivilegesService } from './privileges';
export type { CasesSupportedOperations } from './feature_privilege_builder';
export { privilegesFactory } from './privileges';
export type { RawKibanaPrivileges, RawKibanaFeaturePrivileges } from './raw_kibana_privileges';
export { privilegesFactory, getReplacedByForPrivilege } from './privileges';
Loading