diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alert_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alert_client.ts index 6c6c80cae50b4..4782810dde87b 100644 --- a/x-pack/plugins/rule_registry/server/alert_data_client/alert_client.ts +++ b/x-pack/plugins/rule_registry/server/alert_data_client/alert_client.ts @@ -23,6 +23,7 @@ import { import { Logger, ElasticsearchClient, HttpResponsePayload } from '../../../../../src/core/server'; import { buildAlertsSearchQuery, buildAlertsUpdateParameters } from './utils'; import { RacAuthorizationAuditLogger } from './audit_logger'; +import { RuleDataPluginService } from '../rule_data_plugin_service'; export interface ConstructorOptions { logger: Logger; @@ -30,6 +31,8 @@ export interface ConstructorOptions { spaceId?: string; auditLogger: RacAuthorizationAuditLogger; esClient: ElasticsearchClient; + index: string; + ruleDataService: RuleDataPluginService; } interface IndexType { @@ -70,6 +73,7 @@ export interface UpdateOptions { data: { status: string; }; + assetName: string; // observability-apm see here: x-pack/plugins/apm/server/plugin.ts:191 } export interface BulkUpdateOptions { @@ -82,6 +86,7 @@ export interface BulkUpdateOptions { interface GetAlertParams { id: string; + assetName: string; // observability-apm see here: x-pack/plugins/apm/server/plugin.ts:191 } export interface GetAlertInstanceSummaryParams { @@ -98,30 +103,51 @@ export class AlertsClient { private readonly logger: Logger; private readonly auditLogger: RacAuthorizationAuditLogger; private readonly spaceId?: string; + private readonly alertsIndex: string; private readonly authorization: PublicMethodsOf; private readonly esClient: ElasticsearchClient; + private readonly ruleDataService: RuleDataPluginService; - constructor({ auditLogger, authorization, logger, spaceId, esClient }: ConstructorOptions) { + constructor({ + auditLogger, + authorization, + logger, + spaceId, + esClient, + index, + ruleDataService, + }: ConstructorOptions) { this.logger = logger; this.spaceId = spaceId; this.authorization = authorization; this.esClient = esClient; this.auditLogger = auditLogger; + this.alertsIndex = index; + this.ruleDataService = ruleDataService; + } + + /** + * we are "hard coding" this string similar to how rule registry is doing it + * x-pack/plugins/apm/server/plugin.ts:191 + */ + public getAlertsIndex(assetName: string) { + // possibly append spaceId here? + return this.ruleDataService.getFullAssetName(assetName); // await this.authorization.getAuthorizedAlertsIndices(); } // TODO: Type out alerts (rule registry fields + alerting alerts type) - public async get({ id }: GetAlertParams): Promise { + public async get({ id, assetName }: GetAlertParams): Promise { // first search for the alert specified, then check if user has access to it // and return search results const query = buildAlertsSearchQuery({ - index: '.alerts-observability-apm', + index: this.getAlertsIndex(assetName), // '.alerts-observability-apm', alertId: id, }); // TODO: Type out alerts (rule registry fields + alerting alerts type) try { console.error('QUERY', JSON.stringify(query, null, 2)); const { body: result } = await this.esClient.get({ - index: '.alerts-observability-apm', + index: this.getAlertsIndex(assetName), // '.alerts-observability-apm', id, }); console.error('rule.id', result._source['rule.id']); @@ -186,10 +212,11 @@ export class AlertsClient { id, owner, data, + assetName, }: UpdateOptions): Promise> { // TODO: Type out alerts (rule registry fields + alerting alerts type) const result = await this.esClient.get({ - index: '.alerts-observability-apm', // '.siem-signals-devin-hurley-default', + index: this.getAlertsIndex(assetName), // '.alerts-observability-apm', // '.siem-signals-devin-hurley-default', id, }); console.error('RESULT', result); @@ -208,7 +235,7 @@ export class AlertsClient { console.error('GOT PAST AUTHZ'); try { - const index = this.authorization.getAuthorizedAlertsIndices(hits['kibana.rac.alert.owner']); + const index = this.getAlertsIndex(assetName); // this.authorization.getAuthorizedAlertsIndices(hits['kibana.rac.alert.owner']); console.error('INDEX', index); const updateParameters = { diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alert_client_factory.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alert_client_factory.ts index 5190f5ee93ae2..9babb8ecba0e3 100644 --- a/x-pack/plugins/rule_registry/server/alert_data_client/alert_client_factory.ts +++ b/x-pack/plugins/rule_registry/server/alert_data_client/alert_client_factory.ts @@ -12,6 +12,7 @@ import { SecurityPluginSetup } from '../../../security/server'; import { AlertingAuthorization } from '../../../alerting/server/authorization'; import { AlertsClient } from './alert_client'; import { RacAuthorizationAuditLogger } from './audit_logger'; +import { RuleDataPluginService } from '../rule_data_plugin_service'; export interface RacClientFactoryOpts { logger: Logger; @@ -19,6 +20,7 @@ export interface RacClientFactoryOpts { esClient: ElasticsearchClient; getAlertingAuthorization: (request: KibanaRequest) => PublicMethodsOf; securityPluginSetup: SecurityPluginSetup | undefined; + ruleDataService: RuleDataPluginService | undefined; } export class AlertsClientFactory { @@ -30,6 +32,7 @@ export class AlertsClientFactory { request: KibanaRequest ) => PublicMethodsOf; private securityPluginSetup!: SecurityPluginSetup | undefined; + private ruleDataService!: RuleDataPluginService | undefined; public initialize(options: RacClientFactoryOpts) { /** @@ -45,18 +48,21 @@ export class AlertsClientFactory { this.getSpaceId = options.getSpaceId; this.esClient = options.esClient; this.securityPluginSetup = options.securityPluginSetup; + this.ruleDataService = options.ruleDataService; } - public async create(request: KibanaRequest): Promise { + public async create(request: KibanaRequest, index: string): Promise { const { securityPluginSetup, getAlertingAuthorization, logger } = this; const spaceId = this.getSpaceId(request); return new AlertsClient({ spaceId, logger, + index, authorization: getAlertingAuthorization(request), auditLogger: new RacAuthorizationAuditLogger(securityPluginSetup?.audit.asScoped(request)), esClient: this.esClient, + ruleDataService: this.ruleDataService, }); } } diff --git a/x-pack/plugins/rule_registry/server/plugin.ts b/x-pack/plugins/rule_registry/server/plugin.ts index e5661be5699dd..6328944d5443b 100644 --- a/x-pack/plugins/rule_registry/server/plugin.ts +++ b/x-pack/plugins/rule_registry/server/plugin.ts @@ -5,7 +5,6 @@ * 2.0. */ -import { schema } from '@kbn/config-schema'; import { PluginInitializerContext, Plugin, @@ -39,6 +38,7 @@ export class RuleRegistryPlugin implements Plugin(); @@ -83,61 +84,10 @@ export class RuleRegistryPlugin implements Plugin { const racClient = await context.rac.getAlertsClient(); // console.error(`WHATS IN THE RAC CLIENT`, racClient); - racClient?.get({ id: 'hello world' }); + racClient?.get({ id: 'hello world', assetName: 'observability-apm' }); return res.ok(); }); - router.get( - { - path: '/rac-getalert', - validate: false, - }, - async (context, request, response) => { - try { - const alertsClient = await context.rac.getAlertsClient(); - const { id } = request.query; - console.error('ID?', id); - const alert = await alertsClient.get({ id }); - return response.ok({ - body: alert, - }); - } catch (exc) { - console.error('ROUTE ERROR', exc); - throw exc; - } - } - ); - - router.post( - { - path: '/update-alert', - validate: { - body: schema.object({ - status: schema.string(), - ids: schema.arrayOf(schema.string()), - }), - }, - }, - async (context, req, res) => { - try { - const racClient = await context.rac.getAlertsClient(); - console.error(req); - const { status, ids } = req.body; - console.error('STATUS', status); - console.error('ID', ids); - const thing = await racClient?.update({ - id: ids[0], - owner: 'apm', - data: { status }, - }); - return res.ok({ body: { success: true, alerts: thing } }); - } catch (exc) { - console.error('OOPS', exc); - return res.unauthorized(); - } - } - ); - return service; } @@ -155,10 +105,11 @@ export class RuleRegistryPlugin implements Plugin { - return alertsClientFactory.create(request); + return alertsClientFactory.create(request, this.config.index); }; return { @@ -168,14 +119,14 @@ export class RuleRegistryPlugin implements Plugin => { - const { alertsClientFactory } = this; + const { alertsClientFactory, config } = this; return async function alertsRouteHandlerContext( context, request ): Promise { return { getAlertsClient: async () => { - const createdClient = alertsClientFactory.create(request); + const createdClient = alertsClientFactory.create(request, config.index); return createdClient; }, }; diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.ts index 5ab6f9f716a4d..9fe8a785ea93e 100644 --- a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.ts +++ b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.ts @@ -23,6 +23,7 @@ export const getAlertByIdRoute = (router: IRouter) => t.exact( t.type({ id: _id, + assetName: t.string, }) ) ), @@ -34,8 +35,8 @@ export const getAlertByIdRoute = (router: IRouter) => async (context, request, response) => { try { const alertsClient = await context.rac.getAlertsClient(); - const { id } = request.query; - const alert = await alertsClient.get({ id }); + const { id, assetName } = request.query; + const alert = await alertsClient.get({ id, assetName }); return response.ok({ body: alert, }); diff --git a/x-pack/plugins/rule_registry/server/routes/index.ts b/x-pack/plugins/rule_registry/server/routes/index.ts index 84b2205ef0bc8..4cc7881bf94e0 100644 --- a/x-pack/plugins/rule_registry/server/routes/index.ts +++ b/x-pack/plugins/rule_registry/server/routes/index.ts @@ -8,7 +8,9 @@ import { IRouter } from 'kibana/server'; import { RacRequestHandlerContext } from '../types'; import { getAlertByIdRoute } from './get_alert_by_id'; +import { updateAlertByIdRoute } from './update_alert_by_id'; export function defineRoutes(router: IRouter) { getAlertByIdRoute(router); + updateAlertByIdRoute(router); } diff --git a/x-pack/plugins/rule_registry/server/routes/update_alert_by_id.ts b/x-pack/plugins/rule_registry/server/routes/update_alert_by_id.ts new file mode 100644 index 0000000000000..063217912ef75 --- /dev/null +++ b/x-pack/plugins/rule_registry/server/routes/update_alert_by_id.ts @@ -0,0 +1,71 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { IRouter } from 'kibana/server'; +import * as t from 'io-ts'; +import { id as _id } from '@kbn/securitysolution-io-ts-list-types'; +import { transformError, getIndexExists } from '@kbn/securitysolution-es-utils'; +import { schema } from '@kbn/config-schema'; + +import { RacRequestHandlerContext } from '../types'; +import { BASE_RAC_ALERTS_API_PATH } from '../../common/constants'; +import { buildRouteValidation } from './utils/route_validation'; + +export const updateAlertByIdRoute = (router: IRouter) => { + router.post( + { + path: BASE_RAC_ALERTS_API_PATH, + validate: { + body: schema.object({ + status: schema.string(), + ids: schema.arrayOf(schema.string()), + assetName: schema.string(), + }), + }, + options: { + tags: ['access:rac'], + }, + }, + async (context, req, response) => { + try { + const racClient = await context.rac.getAlertsClient(); + console.error(req); + const { status, ids, assetName } = req.body; + console.error('STATUS', status); + console.error('ID', ids); + const thing = await racClient?.update({ + id: ids[0], + owner: 'apm', + data: { status }, + assetName, + }); + return response.ok({ body: { success: true, alerts: thing } }); + } catch (exc) { + const err = transformError(exc); + console.error(err.message); + console.error('ROUTE ERROR status code', err.statusCode); + const contentType: CustomHttpResponseOptions['headers'] = { + 'content-type': 'application/json', + }; + const defaultedHeaders: CustomHttpResponseOptions['headers'] = { + ...contentType, + }; + + return response.custom({ + headers: defaultedHeaders, + statusCode: err.statusCode, + body: Buffer.from( + JSON.stringify({ + message: err.message, + status_code: err.statusCode, + }) + ), + }); + } + } + ); +}; diff --git a/x-pack/plugins/rule_registry/server/scripts/get_observability_alert.sh b/x-pack/plugins/rule_registry/server/scripts/get_observability_alert.sh index 39392d7da1669..45c38bc1ea574 100755 --- a/x-pack/plugins/rule_registry/server/scripts/get_observability_alert.sh +++ b/x-pack/plugins/rule_registry/server/scripts/get_observability_alert.sh @@ -16,6 +16,6 @@ cd ../observer && sh ./post_detections_role.sh && sh ./post_detections_user.sh cd .. # Example: ./find_rules.sh -curl -s -k \ +curl -v -k \ -u $USER:changeme \ - -X GET ${KIBANA_URL}${SPACE_URL}/api/rac/alerts?id=NoxgpHkBqbdrfX07MqXV | jq . + -X GET "${KIBANA_URL}${SPACE_URL}/api/rac/alerts?id=NoxgpHkBqbdrfX07MqXV&assetName=observability-apm" | jq . diff --git a/x-pack/plugins/rule_registry/server/scripts/update_observability_alert.sh b/x-pack/plugins/rule_registry/server/scripts/update_observability_alert.sh index 2fb78b2dd0656..4d3f6d8f3fdb7 100755 --- a/x-pack/plugins/rule_registry/server/scripts/update_observability_alert.sh +++ b/x-pack/plugins/rule_registry/server/scripts/update_observability_alert.sh @@ -16,4 +16,4 @@ curl -s -k \ -H 'kbn-xsrf: 123' \ -u observer:changeme \ -X POST ${KIBANA_URL}${SPACE_URL}/update-alert \ - -d "{\"ids\": $IDS, \"status\":\"$STATUS\"}" | jq . + -d "{\"ids\": $IDS, \"status\":\"$STATUS\", \"assetName\":\"observability-apm\"}" | jq . diff --git a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json index 1bc4e19c9ad8a..82256f6779c95 100644 --- a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json +++ b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json @@ -6,7 +6,8 @@ "source": { "rule.id": "apm.error_rate", "message": "hello world 1", - "kibana.rac.alert.owner": "apm" + "kibana.rac.alert.owner": "apm", + "kibana.rac.alert.status": "open" } } } diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_rules.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alerts.ts similarity index 79% rename from x-pack/test/rule_registry/security_and_spaces/tests/basic/get_rules.ts rename to x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alerts.ts index 504e3f763c179..5651472158d05 100644 --- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_rules.ts +++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/get_alerts.ts @@ -38,7 +38,11 @@ export default ({ getService }: FtrProviderContext) => { describe('Users:', () => { it(`${superUser.username} should be able to access the APM alert in ${SPACE1}`, async () => { const res = await supertestWithoutAuth - .get(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV`) + .get( + `${getSpaceUrlPrefix( + SPACE1 + )}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV&assetName=observability-apm` + ) .auth(superUser.username, superUser.password) .set('kbn-xsrf', 'true') .expect(200); @@ -46,7 +50,11 @@ export default ({ getService }: FtrProviderContext) => { }); it(`${globalRead.username} should be able to access the APM alert in ${SPACE1}`, async () => { const res = await supertestWithoutAuth - .get(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV`) + .get( + `${getSpaceUrlPrefix( + SPACE1 + )}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV&assetName=observability-apm` + ) .auth(globalRead.username, globalRead.password) .set('kbn-xsrf', 'true') .expect(200); @@ -54,7 +62,11 @@ export default ({ getService }: FtrProviderContext) => { }); it(`${obsOnlySpacesAll.username} should be able to access the APM alert in ${SPACE1}`, async () => { const res = await supertestWithoutAuth - .get(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV`) + .get( + `${getSpaceUrlPrefix( + SPACE1 + )}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV&assetName=observability-apm` + ) .auth(obsOnlySpacesAll.username, obsOnlySpacesAll.password) .set('kbn-xsrf', 'true') .expect(200); @@ -62,7 +74,11 @@ export default ({ getService }: FtrProviderContext) => { }); it(`${obsOnlyReadSpacesAll.username} should be able to access the APM alert in ${SPACE1}`, async () => { const res = await supertestWithoutAuth - .get(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV`) + .get( + `${getSpaceUrlPrefix( + SPACE1 + )}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV&assetName=observability-apm` + ) .auth(obsOnlyReadSpacesAll.username, obsOnlyReadSpacesAll.password) .set('kbn-xsrf', 'true') .expect(200); @@ -82,7 +98,11 @@ export default ({ getService }: FtrProviderContext) => { ]) { it(`${scenario.user.username} should not be able to access the APM alert in ${SPACE1}`, async () => { await supertestWithoutAuth - .get(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV`) + .get( + `${getSpaceUrlPrefix( + SPACE1 + )}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV&assetName=observability-apm` + ) .auth(scenario.user.username, scenario.user.password) .set('kbn-xsrf', 'true') .expect(403); @@ -97,7 +117,11 @@ export default ({ getService }: FtrProviderContext) => { ]) { it(`${scenario.user.username} should be able to access the APM alert in ${SPACE2}`, async () => { await supertestWithoutAuth - .get(`${getSpaceUrlPrefix(SPACE2)}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV`) + .get( + `${getSpaceUrlPrefix( + SPACE2 + )}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV&assetName=observability-apm` + ) .auth(scenario.user.username, scenario.user.password) .set('kbn-xsrf', 'true') .expect(200); @@ -121,7 +145,11 @@ export default ({ getService }: FtrProviderContext) => { ]) { it(`${scenario.user.username} with right to access space1 only, should not be able to access the APM alert in ${SPACE2}`, async () => { await supertestWithoutAuth - .get(`${getSpaceUrlPrefix(SPACE2)}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV`) + .get( + `${getSpaceUrlPrefix( + SPACE2 + )}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV&assetName=observability-apm` + ) .auth(scenario.user.username, scenario.user.password) .set('kbn-xsrf', 'true') .expect(403); diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/index.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/index.ts index bcb5c1bbf7ea9..24e3fd9d4e5e5 100644 --- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/index.ts +++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/index.ts @@ -23,6 +23,7 @@ export default ({ loadTestFile, getService }: FtrProviderContext): void => { }); // Basic - loadTestFile(require.resolve('./get_rules')); + loadTestFile(require.resolve('./get_alerts')); + loadTestFile(require.resolve('./update_alert')); }); }; diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/update_alert.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/update_alert.ts new file mode 100644 index 0000000000000..253909fae9da4 --- /dev/null +++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/update_alert.ts @@ -0,0 +1,160 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { + secOnly, + secOnlyRead, + globalRead, + obsOnly, + obsOnlyRead, + obsOnlySpacesAll, + obsOnlyReadSpacesAll, + obsSec, + obsSecRead, + superUser, + noKibanaPrivileges, +} from '../../../common/lib/authentication/users'; +import { FtrProviderContext } from '../../../common/ftr_provider_context'; +import { getSpaceUrlPrefix } from '../../../common/lib/authentication/spaces'; + +// eslint-disable-next-line import/no-default-export +export default ({ getService }: FtrProviderContext) => { + const supertestWithoutAuth = getService('supertestWithoutAuth'); + const supertest = getService('supertest'); + const esArchiver = getService('esArchiver'); + + const TEST_URL = '/api/rac/alerts'; + const SPACE1 = 'space1'; + const SPACE2 = 'space2'; + + describe('rbac', () => { + describe('Users update:', () => { + beforeEach(async () => { + await esArchiver.load('rule_registry/alerts'); + }); + afterEach(async () => { + await esArchiver.unload('rule_registry/alerts'); + }); + it(`${superUser.username} should be able to update the APM alert in ${SPACE1}`, async () => { + const res = await supertestWithoutAuth + .post(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}`) + .auth(superUser.username, superUser.password) + .set('kbn-xsrf', 'true') + .send({ ids: ['NoxgpHkBqbdrfX07MqXV'], status: 'closed', assetName: 'observability-apm' }) + .expect(200); + }); + // it(`${globalRead.username} should be able to access the APM alert in ${SPACE1}`, async () => { + // const res = await supertestWithoutAuth + // .get(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV`) + // .auth(globalRead.username, globalRead.password) + // .set('kbn-xsrf', 'true') + // .expect(200); + // // console.error('RES', res); + // }); + it(`${obsOnlySpacesAll.username} should be able to update the APM alert in ${SPACE1}`, async () => { + const res = await supertestWithoutAuth + .post(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}`) + .auth(obsOnlySpacesAll.username, obsOnlySpacesAll.password) + .set('kbn-xsrf', 'true') + .send({ ids: ['NoxgpHkBqbdrfX07MqXV'], status: 'closed', assetName: 'observability-apm' }) + .expect(200); + // console.error('RES', res); + }); + it(`${obsOnlyReadSpacesAll.username} should NOT be able to update the APM alert in ${SPACE1}`, async () => { + const res = await supertestWithoutAuth + .post(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}`) + .auth(obsOnlyReadSpacesAll.username, obsOnlyReadSpacesAll.password) + .set('kbn-xsrf', 'true') + .send({ ids: ['NoxgpHkBqbdrfX07MqXV'], status: 'closed', assetName: 'observability-apm' }) + .expect(403); + // console.error('RES', res); + }); + + for (const scenario of [ + { + user: noKibanaPrivileges, + }, + { + user: secOnly, + }, + { + user: secOnlyRead, + }, + ]) { + it(`${scenario.user.username} should NOT be able to update the APM alert in ${SPACE1}`, async () => { + await supertestWithoutAuth + .post(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}`) + .auth(scenario.user.username, scenario.user.password) + .set('kbn-xsrf', 'true') + .send({ + ids: ['NoxgpHkBqbdrfX07MqXV'], + status: 'closed', + assetName: 'observability-apm', + }) + .expect(403); + }); + } + }); + + // describe('Space:', () => { + // for (const scenario of [ + // { user: superUser, space: SPACE1 }, + // { user: globalRead, space: SPACE1 }, + // ]) { + // it(`${scenario.user.username} should be able to access the APM alert in ${SPACE2}`, async () => { + // await supertestWithoutAuth + // .get(`${getSpaceUrlPrefix(SPACE2)}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV`) + // .auth(scenario.user.username, scenario.user.password) + // .set('kbn-xsrf', 'true') + // .expect(200); + // }); + // } + + // for (const scenario of [ + // { user: secOnly }, + // { user: secOnlyRead }, + // { user: obsSec }, + // { user: obsSecRead }, + // { + // user: noKibanaPrivileges, + // }, + // { + // user: obsOnly, + // }, + // { + // user: obsOnlyRead, + // }, + // ]) { + // it(`${scenario.user.username} with right to access space1 only, should not be able to access the APM alert in ${SPACE2}`, async () => { + // await supertestWithoutAuth + // .get(`${getSpaceUrlPrefix(SPACE2)}${TEST_URL}?id=NoxgpHkBqbdrfX07MqXV`) + // .auth(scenario.user.username, scenario.user.password) + // .set('kbn-xsrf', 'true') + // .expect(403); + // }); + // } + // }); + + // describe('extra params', () => { + // it('should NOT allow to pass a filter query parameter', async () => { + // await supertest + // .get(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}?sortOrder=asc&namespaces[0]=*`) + // .set('kbn-xsrf', 'true') + // .send() + // .expect(400); + // }); + + // it('should NOT allow to pass a non supported query parameter', async () => { + // await supertest + // .get(`${getSpaceUrlPrefix(SPACE1)}${TEST_URL}?notExists=something`) + // .set('kbn-xsrf', 'true') + // .send() + // .expect(400); + // }); + // }); + }); +};