-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Authz] OAS Descriptions for Route Authz (#197001)
Closes #191714 ## Summary Update process router to generate authz descriptions based on the new Route Security objects. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Elastic Machine <[email protected]>
- Loading branch information
1 parent
3791a9b
commit a168458
Showing
8 changed files
with
219 additions
and
5 deletions.
There are no files selected for viewing
81 changes: 81 additions & 0 deletions
81
packages/kbn-router-to-openapispec/src/extract_authz_description.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the "Elastic License | ||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side | ||
* Public License v 1"; you may not use this file except in compliance with, at | ||
* your election, the "Elastic License 2.0", the "GNU Affero General Public | ||
* License v3.0 only", or the "Server Side Public License, v 1". | ||
*/ | ||
|
||
import { schema } from '@kbn/config-schema'; | ||
import { extractAuthzDescription } from './extract_authz_description'; | ||
import { InternalRouterRoute } from './type'; | ||
import { RouteSecurity } from '@kbn/core-http-server'; | ||
|
||
describe('extractAuthzDescription', () => { | ||
it('should return empty if route does not require privileges', () => { | ||
const route: InternalRouterRoute = { | ||
path: '/foo', | ||
options: { access: 'internal' }, | ||
handler: jest.fn(), | ||
validationSchemas: { request: { body: schema.object({}) } }, | ||
method: 'get', | ||
isVersioned: false, | ||
}; | ||
const description = extractAuthzDescription(route.security); | ||
expect(description).toBe(''); | ||
}); | ||
|
||
it('should return route authz description for simple privileges', () => { | ||
const routeSecurity: RouteSecurity = { | ||
authz: { | ||
requiredPrivileges: ['manage_spaces'], | ||
}, | ||
}; | ||
const description = extractAuthzDescription(routeSecurity); | ||
expect(description).toBe('[Authz] Route required privileges: ALL of [manage_spaces].'); | ||
}); | ||
|
||
it('should return route authz description for privilege groups', () => { | ||
{ | ||
const routeSecurity: RouteSecurity = { | ||
authz: { | ||
requiredPrivileges: [{ allRequired: ['console'] }], | ||
}, | ||
}; | ||
const description = extractAuthzDescription(routeSecurity); | ||
expect(description).toBe('[Authz] Route required privileges: ALL of [console].'); | ||
} | ||
{ | ||
const routeSecurity: RouteSecurity = { | ||
authz: { | ||
requiredPrivileges: [ | ||
{ | ||
anyRequired: ['manage_spaces', 'taskmanager'], | ||
}, | ||
], | ||
}, | ||
}; | ||
const description = extractAuthzDescription(routeSecurity); | ||
expect(description).toBe( | ||
'[Authz] Route required privileges: ANY of [manage_spaces OR taskmanager].' | ||
); | ||
} | ||
{ | ||
const routeSecurity: RouteSecurity = { | ||
authz: { | ||
requiredPrivileges: [ | ||
{ | ||
allRequired: ['console', 'filesManagement'], | ||
anyRequired: ['manage_spaces', 'taskmanager'], | ||
}, | ||
], | ||
}, | ||
}; | ||
const description = extractAuthzDescription(routeSecurity); | ||
expect(description).toBe( | ||
'[Authz] Route required privileges: ALL of [console, filesManagement] AND ANY of [manage_spaces OR taskmanager].' | ||
); | ||
} | ||
}); | ||
}); |
60 changes: 60 additions & 0 deletions
60
packages/kbn-router-to-openapispec/src/extract_authz_description.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the "Elastic License | ||
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side | ||
* Public License v 1"; you may not use this file except in compliance with, at | ||
* your election, the "Elastic License 2.0", the "GNU Affero General Public | ||
* License v3.0 only", or the "Server Side Public License, v 1". | ||
*/ | ||
|
||
import type { AuthzEnabled, AuthzDisabled, InternalRouteSecurity } from '@kbn/core-http-server'; | ||
|
||
interface PrivilegeGroupValue { | ||
allRequired: string[]; | ||
anyRequired: string[]; | ||
} | ||
|
||
export const extractAuthzDescription = (routeSecurity: InternalRouteSecurity | undefined) => { | ||
if (!routeSecurity) { | ||
return ''; | ||
} | ||
if (!('authz' in routeSecurity) || (routeSecurity.authz as AuthzDisabled).enabled === false) { | ||
return ''; | ||
} | ||
|
||
const privileges = (routeSecurity.authz as AuthzEnabled).requiredPrivileges; | ||
|
||
const groupedPrivileges = privileges.reduce<PrivilegeGroupValue>( | ||
(groups, privilege) => { | ||
if (typeof privilege === 'string') { | ||
groups.allRequired.push(privilege); | ||
|
||
return groups; | ||
} | ||
groups.allRequired.push(...(privilege.allRequired ?? [])); | ||
groups.anyRequired.push(...(privilege.anyRequired ?? [])); | ||
|
||
return groups; | ||
}, | ||
{ | ||
anyRequired: [], | ||
allRequired: [], | ||
} | ||
); | ||
|
||
const getPrivilegesDescription = (allRequired: string[], anyRequired: string[]) => { | ||
const allDescription = allRequired.length ? `ALL of [${allRequired.join(', ')}]` : ''; | ||
const anyDescription = anyRequired.length ? `ANY of [${anyRequired.join(' OR ')}]` : ''; | ||
|
||
return `${allDescription}${allDescription && anyDescription ? ' AND ' : ''}${anyDescription}`; | ||
}; | ||
|
||
const getDescriptionForRoute = () => { | ||
const allRequired = [...groupedPrivileges.allRequired]; | ||
const anyRequired = [...groupedPrivileges.anyRequired]; | ||
|
||
return `Route required privileges: ${getPrivilegesDescription(allRequired, anyRequired)}.`; | ||
}; | ||
|
||
return `[Authz] ${getDescriptionForRoute()}`; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters