From ead6edfa4ed15884fa674226ac4c6111ab0c03db Mon Sep 17 00:00:00 2001
From: Jonathan Buttner <jonathan.buttner@elastic.co>
Date: Thu, 3 Jun 2021 15:44:12 -0400
Subject: [PATCH] Adding tests for space permissions

---
 .../tests/common/cases/delete_cases.ts        | 25 ++++++++++++---
 .../tests/common/comments/delete_comment.ts   | 31 +++++++++++++++++++
 .../tests/common/configure/patch_configure.ts | 26 ++++++++++++++++
 .../tests/common/comments/get_comment.ts      |  2 +-
 4 files changed, 79 insertions(+), 5 deletions(-)

diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/delete_cases.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/delete_cases.ts
index bbb9624c4b14b..964e9135aba7b 100644
--- a/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/delete_cases.ts
+++ b/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/delete_cases.ts
@@ -285,10 +285,27 @@ export default ({ getService }: FtrProviderContext): void => {
         );
 
         /**
-         * We expect a 404 because the bulkGet inside the delete
-         * route should return a 404 when requesting a case from
-         * a different space.
-         * */
+         * secOnly does not have access to space2 so it should 403
+         */
+        await deleteCases({
+          supertest: supertestWithoutAuth,
+          caseIDs: [postedCase.id],
+          expectedHttpCode: 403,
+          auth: { user: secOnly, space: 'space2' },
+        });
+      });
+
+      it('should NOT delete a case created in space2 by making a request to space1', async () => {
+        const postedCase = await createCase(
+          supertestWithoutAuth,
+          getPostCaseRequest({ owner: 'securitySolutionFixture' }),
+          200,
+          {
+            user: superUser,
+            space: 'space2',
+          }
+        );
+
         await deleteCases({
           supertest: supertestWithoutAuth,
           caseIDs: [postedCase.id],
diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/delete_comment.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/delete_comment.ts
index 3336abfa47e7c..fc0b62ff924b5 100644
--- a/x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/delete_comment.ts
+++ b/x-pack/test/case_api_integration/security_and_spaces/tests/common/comments/delete_comment.ts
@@ -320,6 +320,37 @@ export default ({ getService }: FtrProviderContext): void => {
           auth: { user: superUser, space: 'space2' },
         });
 
+        await deleteComment({
+          supertest: supertestWithoutAuth,
+          caseId: postedCase.id,
+          commentId: commentResp.comments![0].id,
+          auth: { user: secOnly, space: 'space2' },
+          expectedHttpCode: 403,
+        });
+
+        await deleteAllComments({
+          supertest: supertestWithoutAuth,
+          caseId: postedCase.id,
+          auth: { user: secOnly, space: 'space2' },
+          expectedHttpCode: 403,
+        });
+      });
+
+      it('should NOT delete a comment created in space2 by making a request to space1', async () => {
+        const postedCase = await createCase(
+          supertestWithoutAuth,
+          getPostCaseRequest({ owner: 'securitySolutionFixture' }),
+          200,
+          { user: superUser, space: 'space2' }
+        );
+
+        const commentResp = await createComment({
+          supertest: supertestWithoutAuth,
+          caseId: postedCase.id,
+          params: postCommentUserReq,
+          auth: { user: superUser, space: 'space2' },
+        });
+
         await deleteComment({
           supertest: supertestWithoutAuth,
           caseId: postedCase.id,
diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/configure/patch_configure.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/configure/patch_configure.ts
index ced727f8e4e75..323b1b377e555 100644
--- a/x-pack/test/case_api_integration/security_and_spaces/tests/common/configure/patch_configure.ts
+++ b/x-pack/test/case_api_integration/security_and_spaces/tests/common/configure/patch_configure.ts
@@ -224,6 +224,32 @@ export default ({ getService }: FtrProviderContext): void => {
           }
         );
 
+        await updateConfiguration(
+          supertestWithoutAuth,
+          configuration.id,
+          {
+            closure_type: 'close-by-pushing',
+            version: configuration.version,
+          },
+          403,
+          {
+            user: secOnly,
+            space: 'space2',
+          }
+        );
+      });
+
+      it('should NOT update a configuration created in space2 by making a request to space1', async () => {
+        const configuration = await createConfiguration(
+          supertestWithoutAuth,
+          { ...getConfigurationRequest(), owner: 'securitySolutionFixture' },
+          200,
+          {
+            user: superUser,
+            space: 'space2',
+          }
+        );
+
         await updateConfiguration(
           supertestWithoutAuth,
           configuration.id,
diff --git a/x-pack/test/case_api_integration/spaces_only/tests/common/comments/get_comment.ts b/x-pack/test/case_api_integration/spaces_only/tests/common/comments/get_comment.ts
index b53b2e6e59cfb..048700993087d 100644
--- a/x-pack/test/case_api_integration/spaces_only/tests/common/comments/get_comment.ts
+++ b/x-pack/test/case_api_integration/spaces_only/tests/common/comments/get_comment.ts
@@ -46,7 +46,7 @@ export default ({ getService }: FtrProviderContext): void => {
       expect(comment).to.eql(patchedCase.comments![0]);
     });
 
-    it('should not get a comment in space2', async () => {
+    it('should not get a comment in space2 when it was created in space1', async () => {
       const postedCase = await createCase(supertest, postCaseReq, 200, authSpace1);
       const patchedCase = await createComment({
         supertest,