From d29eb42c3c7553f9b7f55ffa73f926c0c27bd975 Mon Sep 17 00:00:00 2001
From: Ying Mao <ying.mao@elastic.co>
Date: Wed, 11 Aug 2021 12:03:42 -0400
Subject: [PATCH] Adding unit test for find auth filter when user has no
 privileges

---
 .../alerting_authorization.test.ts            | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts b/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts
index 0a90ff2276e31f..7f5b06031c18cd 100644
--- a/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts
+++ b/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts
@@ -1007,6 +1007,49 @@ describe('AlertingAuthorization', () => {
       );
       expect(auditLogger.logAuthorizationSuccess).not.toHaveBeenCalled();
     });
+    test('throws if user has no privileges to any rule type', async () => {
+      const { authorization } = mockSecurity();
+      const checkPrivileges: jest.MockedFunction<
+        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
+      > = jest.fn();
+      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+      checkPrivileges.mockResolvedValueOnce({
+        username: 'some-user',
+        hasAllRequested: false,
+        privileges: {
+          kibana: [
+            {
+              privilege: mockAuthorizationAction('myType', 'myOtherApp', 'rule', 'create'),
+              authorized: false,
+            },
+            {
+              privilege: mockAuthorizationAction('myType', 'myApp', 'rule', 'create'),
+              authorized: false,
+            },
+          ],
+        },
+      });
+      const alertAuthorization = new AlertingAuthorization({
+        request,
+        authorization,
+        ruleTypeRegistry,
+        features,
+        auditLogger,
+        getSpace,
+        getSpaceId,
+      });
+      ruleTypeRegistry.list.mockReturnValue(setOfAlertTypes);
+      await expect(
+        alertAuthorization.getFindAuthorizationFilter(AlertingAuthorizationEntity.Rule, {
+          type: AlertingAuthorizationFilterType.KQL,
+          fieldNames: {
+            ruleTypeId: 'path.to.rule_type_id',
+            consumer: 'consumer-field',
+          },
+        })
+      ).rejects.toThrowErrorMatchingInlineSnapshot(`"Unauthorized some-user/find"`);
+      expect(auditLogger.logAuthorizationSuccess).not.toHaveBeenCalled();
+    });
     test('creates an `ensureRuleTypeIsAuthorized` function which throws if type is unauthorized', async () => {
       const { authorization } = mockSecurity();
       const checkPrivileges: jest.MockedFunction<