Skip to content

Commit

Permalink
[Actions Plugin] Use server-side authc.getCurrentUser from core.secur…
Browse files Browse the repository at this point in the history
…ity (#186924)

Part of #186574

Background: This PR serves as an example of a plugin migrating away from
depending on the Security plugin, which is a high priority effort for
the last release before 9.0. The Actions plugin uses the
`authc.getCurrentUser` method to attribute the current user to persisted
actions that are created in the system.

### Checklist

Delete any items that are not applicable to this PR.

- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
  • Loading branch information
tsullivan authored Jul 2, 2024
1 parent 9cc4c41 commit dc12ac8
Show file tree
Hide file tree
Showing 6 changed files with 15 additions and 18 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ import {
ACTION_SAVED_OBJECT_TYPE,
ACTION_TASK_PARAMS_SAVED_OBJECT_TYPE,
} from '../constants/saved_objects';
import { AuthenticatedUser } from '@kbn/security-plugin/server';
import { AuthorizationMode } from './get_authorization_mode_by_source';
import {
CONNECTORS_ADVANCED_EXECUTE_PRIVILEGE_API_TAG,
Expand All @@ -29,15 +28,14 @@ const ADVANCED_EXECUTE_AUTHZ = `api:${CONNECTORS_ADVANCED_EXECUTE_PRIVILEGE_API_
function mockSecurity() {
const security = securityMock.createSetup();
const authorization = security.authz;
const authentication = security.authc;
// typescript is having trouble inferring jest's automocking
(
authorization.actions.savedObject.get as jest.MockedFunction<
typeof authorization.actions.savedObject.get
>
).mockImplementation(mockAuthorizationAction);
authorization.mode.useRbacForRequest.mockReturnValue(true);
return { authorization, authentication };
return { authorization };
}

beforeEach(() => {
Expand Down Expand Up @@ -167,22 +165,17 @@ describe('ensureAuthorized', () => {
});

test('exempts users from requiring privileges to execute actions when authorizationMode is Legacy', async () => {
const { authorization, authentication } = mockSecurity();
const { authorization } = mockSecurity();
const checkPrivileges: jest.MockedFunction<
ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
> = jest.fn();
authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
const actionsAuthorization = new ActionsAuthorization({
request,
authorization,
authentication,
authorizationMode: AuthorizationMode.Legacy,
});

authentication.getCurrentUser.mockReturnValueOnce({
username: 'some-user',
} as unknown as AuthenticatedUser);

await actionsAuthorization.ensureAuthorized({ operation: 'execute', actionTypeId: 'myType' });

expect(authorization.actions.savedObject.get).not.toHaveBeenCalled();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ import { AuthorizationMode } from './get_authorization_mode_by_source';
export interface ConstructorOptions {
request: KibanaRequest;
authorization?: SecurityPluginSetup['authz'];
authentication?: SecurityPluginSetup['authc'];
// In order to support legacy Alerts which predate the introduction of the
// Actions feature in Kibana we need a way of "dialing down" the level of
// authorization for certain opearations.
Expand Down Expand Up @@ -49,7 +48,6 @@ export class ActionsAuthorization {
constructor({
request,
authorization,
authentication,
authorizationMode = AuthorizationMode.RBAC,
}: ConstructorOptions) {
this.request = request;
Expand Down
10 changes: 7 additions & 3 deletions x-pack/plugins/actions/server/lib/action_executor.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,12 @@ import { schema } from '@kbn/config-schema';
import { ActionExecutor } from './action_executor';
import { actionTypeRegistryMock } from '../action_type_registry.mock';
import { encryptedSavedObjectsMock } from '@kbn/encrypted-saved-objects-plugin/server/mocks';
import { httpServerMock, loggingSystemMock, analyticsServiceMock } from '@kbn/core/server/mocks';
import {
httpServerMock,
loggingSystemMock,
analyticsServiceMock,
securityServiceMock,
} from '@kbn/core/server/mocks';
import { eventLoggerMock } from '@kbn/event-log-plugin/server/mocks';
import { spacesServiceMock } from '@kbn/spaces-plugin/server/spaces_service/spaces_service.mock';
import { ActionType as ConnectorType } from '../types';
Expand All @@ -20,7 +25,6 @@ import {
asHttpRequestExecutionSource,
asSavedObjectExecutionSource,
} from './action_execution_source';
import { securityMock } from '@kbn/security-plugin/server/mocks';
import { finished } from 'stream/promises';
import { PassThrough } from 'stream';
import { SecurityConnectorFeatureId } from '../../common';
Expand Down Expand Up @@ -58,7 +62,7 @@ const executeParams = {
const spacesMock = spacesServiceMock.createStartContract();
const loggerMock: ReturnType<typeof loggingSystemMock.createLogger> =
loggingSystemMock.createLogger();
const securityMockStart = securityMock.createStart();
const securityMockStart = securityServiceMock.createStart();

const authorizationMock = actionsAuthorizationMock.create();
const getActionsAuthorizationWithRequest = jest.fn();
Expand Down
5 changes: 3 additions & 2 deletions x-pack/plugins/actions/server/lib/action_executor.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@

import type { PublicMethodsOf } from '@kbn/utility-types';
import {
type AuthenticatedUser,
type SecurityServiceStart,
AnalyticsServiceStart,
KibanaRequest,
Logger,
Expand All @@ -18,7 +20,6 @@ import { withSpan } from '@kbn/apm-utils';
import { EncryptedSavedObjectsClient } from '@kbn/encrypted-saved-objects-plugin/server';
import { SpacesServiceStart } from '@kbn/spaces-plugin/server';
import { IEventLogger, SAVED_OBJECT_REL_PRIMARY } from '@kbn/event-log-plugin/server';
import { AuthenticatedUser, SecurityPluginStart } from '@kbn/security-plugin/server';
import { createTaskRunError, TaskErrorSource } from '@kbn/task-manager-plugin/server';
import { getErrorSource } from '@kbn/task-manager-plugin/server/task_running';
import { GEN_AI_TOKEN_COUNT_EVENT } from './event_based_telemetry';
Expand Down Expand Up @@ -59,7 +60,7 @@ const Millis2Nanos = 1000 * 1000;
export interface ActionExecutorContext {
logger: Logger;
spaces?: SpacesServiceStart;
security?: SecurityPluginStart;
security: SecurityServiceStart;
getServices: GetServicesFunction;
getUnsecuredServices: GetUnsecuredServicesFunction;
encryptedSavedObjectsClient: EncryptedSavedObjectsClient;
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/actions/server/lib/task_runner_factory.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import {
httpServiceMock,
savedObjectsRepositoryMock,
analyticsServiceMock,
securityServiceMock,
} from '@kbn/core/server/mocks';
import { eventLoggerMock } from '@kbn/event-log-plugin/server/mocks';
import { ActionTypeDisabledError } from './errors';
Expand Down Expand Up @@ -98,6 +99,7 @@ const actionExecutorInitializerParams = {
eventLogger,
inMemoryConnectors: [],
analyticsService: analyticsServiceMock.createAnalyticsServiceStart(),
security: securityServiceMock.createStart(),
};

const taskRunnerFactoryInitializerParams = {
Expand Down
3 changes: 1 addition & 2 deletions x-pack/plugins/actions/server/plugin.ts
Original file line number Diff line number Diff line change
Expand Up @@ -553,7 +553,7 @@ export class ActionsPlugin implements Plugin<PluginSetupContract, PluginStartCon
logger,
eventLogger: this.eventLogger!,
spaces: plugins.spaces?.spacesService,
security: plugins.security,
security: core.security,
getServices: this.getServicesFactory(
getScopedSavedObjectsClientWithoutAccessToActions,
core.elasticsearch,
Expand Down Expand Up @@ -647,7 +647,6 @@ export class ActionsPlugin implements Plugin<PluginSetupContract, PluginStartCon
request,
authorizationMode,
authorization: this.security?.authz,
authentication: this.security?.authc,
});
};

Expand Down

0 comments on commit dc12ac8

Please sign in to comment.