From dddcc8eb6e0f03efd736cc9861ffa4c001615566 Mon Sep 17 00:00:00 2001 From: Christos Nasikas Date: Thu, 13 Jul 2023 14:11:57 +0300 Subject: [PATCH] Do not allow setting kibana privileges if it is not a system action type --- .../server/action_type_registry.test.ts | 47 +++++++++---------- .../actions/server/action_type_registry.ts | 13 +++++ 2 files changed, 36 insertions(+), 24 deletions(-) diff --git a/x-pack/plugins/actions/server/action_type_registry.test.ts b/x-pack/plugins/actions/server/action_type_registry.test.ts index b8d0f977393f5..bf204185830a8 100644 --- a/x-pack/plugins/actions/server/action_type_registry.test.ts +++ b/x-pack/plugins/actions/server/action_type_registry.test.ts @@ -248,6 +248,29 @@ describe('actionTypeRegistry', () => { }) ).not.toThrow(); }); + + test('throws if the kibana privileges are defined but the action type is not a system action type', () => { + const actionTypeRegistry = new ActionTypeRegistry(actionTypeRegistryParams); + + expect(() => + actionTypeRegistry.register({ + id: 'my-action-type', + name: 'My action type', + minimumLicenseRequired: 'basic', + supportedFeatureIds: ['alerting'], + getKibanaPrivileges: jest.fn(), + isSystemActionType: false, + validate: { + config: { schema: schema.object({}) }, + secrets: { schema: schema.object({}) }, + params: { schema: schema.object({}) }, + }, + executor, + }) + ).toThrowErrorMatchingInlineSnapshot( + `"Kibana privilege authorization is only supported for system action types"` + ); + }); }); describe('get()', () => { @@ -756,30 +779,6 @@ describe('actionTypeRegistry', () => { expect(result).toEqual([]); }); - it('should return an empty array if the action type is not a system action but defines kibana privileges', () => { - const registry = new ActionTypeRegistry(actionTypeRegistryParams); - const getKibanaPrivileges = jest.fn().mockReturnValue(['test/create']); - - registry.register({ - id: 'foo', - name: 'Foo', - minimumLicenseRequired: 'basic', - supportedFeatureIds: ['alerting'], - getKibanaPrivileges, - validate: { - config: { schema: schema.object({}) }, - secrets: { schema: schema.object({}) }, - params: { schema: schema.object({}) }, - }, - executor, - }); - - const result = registry.getSystemActionKibanaPrivileges('foo'); - - expect(result).toEqual([]); - expect(getKibanaPrivileges).not.toHaveBeenCalled(); - }); - it('should pass the metadata correctly', () => { const registry = new ActionTypeRegistry(actionTypeRegistryParams); const getKibanaPrivileges = jest.fn().mockReturnValue(['test/create']); diff --git a/x-pack/plugins/actions/server/action_type_registry.ts b/x-pack/plugins/actions/server/action_type_registry.ts index 32e20081335b6..42968fdbd8f63 100644 --- a/x-pack/plugins/actions/server/action_type_registry.ts +++ b/x-pack/plugins/actions/server/action_type_registry.ts @@ -164,6 +164,19 @@ export class ActionTypeRegistry { ); } + if (!actionType.isSystemActionType && actionType.getKibanaPrivileges) { + throw new Error( + i18n.translate('xpack.actions.actionTypeRegistry.register.invalidKibanaPrivileges', { + defaultMessage: + 'Kibana privilege authorization is only supported for system action types', + values: { + connectorTypeId: actionType.id, + ids: actionType.supportedFeatureIds.join(','), + }, + }) + ); + } + const maxAttempts = this.actionsConfigUtils.getMaxAttempts({ actionTypeId: actionType.id, actionTypeMaxAttempts: actionType.maxAttempts,