-
Notifications
You must be signed in to change notification settings - Fork 8.2k
/
check_privileges.ts
153 lines (136 loc) · 5.25 KB
/
check_privileges.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import { pick, transform, uniq } from 'lodash';
import type { IClusterClient, KibanaRequest } from 'src/core/server';
import { GLOBAL_RESOURCE } from '../../common/constants';
import { ResourceSerializer } from './resource_serializer';
import type {
CheckPrivileges,
CheckPrivilegesPayload,
CheckPrivilegesResponse,
HasPrivilegesResponse,
HasPrivilegesResponseApplication,
} from './types';
import { validateEsPrivilegeResponse } from './validate_es_response';
interface CheckPrivilegesActions {
login: string;
version: string;
}
export function checkPrivilegesWithRequestFactory(
actions: CheckPrivilegesActions,
getClusterClient: () => Promise<IClusterClient>,
applicationName: string
) {
const hasIncompatibleVersion = (
applicationPrivilegesResponse: HasPrivilegesResponseApplication
) => {
return Object.values(applicationPrivilegesResponse).some(
(resource) => !resource[actions.version] && resource[actions.login]
);
};
return function checkPrivilegesWithRequest(request: KibanaRequest): CheckPrivileges {
const checkPrivilegesAtResources = async (
resources: string[],
privileges: CheckPrivilegesPayload
): Promise<CheckPrivilegesResponse> => {
const kibanaPrivileges = Array.isArray(privileges.kibana)
? privileges.kibana
: privileges.kibana
? [privileges.kibana]
: [];
const allApplicationPrivileges = uniq([actions.version, actions.login, ...kibanaPrivileges]);
const clusterClient = await getClusterClient();
const { body } = await clusterClient.asScoped(request).asCurrentUser.security.hasPrivileges({
body: {
cluster: privileges.elasticsearch?.cluster,
index: Object.entries(privileges.elasticsearch?.index ?? {}).map(
([name, indexPrivileges]) => ({
names: [name],
privileges: indexPrivileges,
})
),
application: [
{ application: applicationName, resources, privileges: allApplicationPrivileges },
],
},
});
const hasPrivilegesResponse: HasPrivilegesResponse = body;
validateEsPrivilegeResponse(
hasPrivilegesResponse,
applicationName,
allApplicationPrivileges,
resources
);
const applicationPrivilegesResponse = hasPrivilegesResponse.application[applicationName];
const clusterPrivilegesResponse = hasPrivilegesResponse.cluster ?? {};
const clusterPrivileges = Object.entries(clusterPrivilegesResponse).map(
([privilege, authorized]) => ({
privilege,
authorized,
})
);
const indexPrivileges = Object.entries(hasPrivilegesResponse.index ?? {}).reduce<
CheckPrivilegesResponse['privileges']['elasticsearch']['index']
>((acc, [index, indexResponse]) => {
return {
...acc,
[index]: Object.entries(indexResponse).map(([privilege, authorized]) => ({
privilege,
authorized,
})),
};
}, {});
if (hasIncompatibleVersion(applicationPrivilegesResponse)) {
throw new Error(
'Multiple versions of Kibana are running against the same Elasticsearch cluster, unable to authorize user.'
);
}
// we need to filter out the non requested privileges from the response
const resourcePrivileges = transform(applicationPrivilegesResponse, (result, value, key) => {
result[key!] = pick(value, privileges.kibana ?? []);
}) as HasPrivilegesResponseApplication;
const privilegeArray = Object.entries(resourcePrivileges)
.map(([key, val]) => {
// we need to turn the resource responses back into the space ids
const resource =
key !== GLOBAL_RESOURCE ? ResourceSerializer.deserializeSpaceResource(key!) : undefined;
return Object.entries(val).map(([privilege, authorized]) => ({
resource,
privilege,
authorized,
}));
})
.flat();
return {
hasAllRequested: hasPrivilegesResponse.has_all_requested,
username: hasPrivilegesResponse.username,
privileges: {
kibana: privilegeArray,
elasticsearch: {
cluster: clusterPrivileges,
index: indexPrivileges,
},
},
};
};
return {
async atSpace(spaceId: string, privileges: CheckPrivilegesPayload) {
const spaceResource = ResourceSerializer.serializeSpaceResource(spaceId);
return await checkPrivilegesAtResources([spaceResource], privileges);
},
async atSpaces(spaceIds: string[], privileges: CheckPrivilegesPayload) {
const spaceResources = spaceIds.map((spaceId) =>
ResourceSerializer.serializeSpaceResource(spaceId)
);
return await checkPrivilegesAtResources(spaceResources, privileges);
},
async globally(privileges: CheckPrivilegesPayload) {
return await checkPrivilegesAtResources([GLOBAL_RESOURCE], privileges);
},
};
};
}