[Security Solution][Detections] Handle RBAC edge case for Related Int…

…egration on the FE side (#134299) ## Summary Some users won't be able to get additional information about rule's related integrations, such as which of them are installed, enabled, etc. In order to have access to integrations' data in Fleet, a user needs either of these 3 Kibana privileges: - `Integrations`: `Read` or `All` - `Fleet`: `All` - `Saved Objects Management`: `Read` or `All` If all of them are `None`, the Related Integrations feature incorrectly shows all integrations as `Not Installed` even if some of them may be: <img width="1549" alt="Screenshot 2022-06-14 at 04 41 35" src="https://user-images.githubusercontent.com/7359339/173484715-291fa9dd-a1f1-4b91-a752-b7eb64bba2d4.png"> This PR adds a client-side privilege check and falls back to the basic UI that just shows the integration name+link and not any install information. ## Test instructions To test, configure a role with the 3 mentioned privileges as `None`, e.g. <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156872-dfaece7e-a6ef-4774-b01d-e2fa7b66a068.png" /> </p> Then UI should fall back to no installed information: **Rule Details** <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156901-572c4eb3-661f-4edf-974d-ec8ee13d849c.png" /> </p> **Rule Management** <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156924-fbfec8ef-cbff-4966-8bee-bf3e29678cb9.png" /> </p> ## TODO In follow-up PRs: - [ ] Handle the same RBAC edge case for Related Integration on the BE side. Return 403 from the endpoint. - [ ] A test to exercise this fallback (either unit or cypress w/ specific role should do) - [ ] Ensure docs mention the required privileges for this feature ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
elastic · Jun 14, 2022 · f9aa32d · f9aa32d
1 parent 3b7c8a0
commit f9aa32d
Show file tree

Hide file tree

Showing 15 changed files with 497 additions and 329 deletions.
diff --git a/...rules/related_integrations/utils.test.tsx → ..._integrations/integration_details.test.ts b/...rules/related_integrations/utils.test.tsx → ..._integrations/integration_details.test.ts
@@ -5,59 +5,25 @@
  * 2.0.
  */
 
-import {
-  integrationDetailsEnabled,
-  integrationDetailsInstalled,
-  integrationDetailsUninstalled,
-} from './mock';
-import { render } from '@testing-library/react';
-import { getInstalledRelatedIntegrations, getIntegrationLink } from './utils';
+import { calculateIntegrationDetails } from './integration_details';
+import { IntegrationPrivileges } from './integration_privileges';
 
-describe('Related Integrations Utilities', () => {
-  describe('#getIntegrationLink', () => {
-    describe('it returns a correctly formatted integrations link', () => {
-      test('given an uninstalled integrationDetails', () => {
-        const link = getIntegrationLink(integrationDetailsUninstalled, 'http://localhost');
-        const { container } = render(link);
+describe('Integration Details', () => {
+  describe('calculateIntegrationDetails', () => {
+    const stubPrivileges: IntegrationPrivileges = {
+      canReadInstalledIntegrations: true,
+    };
 
-        expect(container.firstChild).toHaveProperty(
-          'href',
-          'http://localhost/app/integrations/detail/test-1.2.3/overview?integration=integration'
-        );
-      });
-
-      test('given an installed integrationDetails', () => {
-        const link = getIntegrationLink(integrationDetailsInstalled, 'http://localhost');
-        const { container } = render(link);
-
-        expect(container.firstChild).toHaveProperty(
-          'href',
-          'http://localhost/app/integrations/detail/test-1.2.3/overview?integration=integration'
-        );
-      });
-
-      test('given an enabled integrationDetails with an unsatisfied version', () => {
-        const link = getIntegrationLink(integrationDetailsEnabled, 'http://localhost');
-        const { container } = render(link);
-
-        expect(container.firstChild).toHaveProperty(
-          'href',
-          'http://localhost/app/integrations/detail/test-1.3.3/overview?integration=integration'
-        );
-      });
-    });
-  });
-
-  describe('#getInstalledRelatedIntegrations', () => {
     test('it returns a the correct integrationDetails', () => {
-      const integrationDetails = getInstalledRelatedIntegrations([], []);
+      const integrationDetails = calculateIntegrationDetails(stubPrivileges, [], []);
 
       expect(integrationDetails.length).toEqual(0);
     });
 
     describe('version is correctly computed', () => {
       test('Unknown integration that does not exist', () => {
-        const integrationDetails = getInstalledRelatedIntegrations(
+        const integrationDetails = calculateIntegrationDetails(
+          stubPrivileges,
           [
             {
               package: 'foo1',
@@ -75,13 +41,14 @@ describe('Related Integrations Utilities', () => {
           []
         );
 
-        expect(integrationDetails[0].target_version).toEqual('1.2.3');
-        expect(integrationDetails[1].target_version).toEqual('1.2.3');
-        expect(integrationDetails[2].target_version).toEqual('1.2.0');
+        expect(integrationDetails[0].targetVersion).toEqual('1.2.3');
+        expect(integrationDetails[1].targetVersion).toEqual('1.2.3');
+        expect(integrationDetails[2].targetVersion).toEqual('1.2.0');
       });
 
       test('Integration that is not installed', () => {
-        const integrationDetails = getInstalledRelatedIntegrations(
+        const integrationDetails = calculateIntegrationDetails(
+          stubPrivileges,
           [
             {
               package: 'aws',
@@ -96,12 +63,13 @@ describe('Related Integrations Utilities', () => {
           []
         );
 
-        expect(integrationDetails[0].target_version).toEqual('1.2.3');
-        expect(integrationDetails[1].target_version).toEqual('1.2.3');
+        expect(integrationDetails[0].targetVersion).toEqual('1.2.3');
+        expect(integrationDetails[1].targetVersion).toEqual('1.2.3');
       });
 
       test('Integration that is installed, and its version matches required version', () => {
-        const integrationDetails = getInstalledRelatedIntegrations(
+        const integrationDetails = calculateIntegrationDetails(
+          stubPrivileges,
           [
             {
               package: 'aws',
@@ -131,15 +99,22 @@ describe('Related Integrations Utilities', () => {
           ]
         );
 
-        // Since version is satisfied, we check `package_version`
-        expect(integrationDetails[0].version_satisfied).toEqual(true);
-        expect(integrationDetails[0].package_version).toEqual('1.3.0');
-        expect(integrationDetails[1].version_satisfied).toEqual(true);
-        expect(integrationDetails[1].package_version).toEqual('1.2.5');
+        expect(integrationDetails[0].installationStatus.isKnown).toEqual(true);
+        if (integrationDetails[0].installationStatus.isKnown) {
+          expect(integrationDetails[0].installationStatus.isVersionMismatch).toEqual(false);
+          expect(integrationDetails[0].installationStatus.installedVersion).toEqual('1.3.0');
+        }
+
+        expect(integrationDetails[1].installationStatus.isKnown).toEqual(true);
+        if (integrationDetails[1].installationStatus.isKnown) {
+          expect(integrationDetails[1].installationStatus.isVersionMismatch).toEqual(false);
+          expect(integrationDetails[1].installationStatus.installedVersion).toEqual('1.2.5');
+        }
       });
 
       test('Integration that is installed, and its version is less than required version', () => {
-        const integrationDetails = getInstalledRelatedIntegrations(
+        const integrationDetails = calculateIntegrationDetails(
+          stubPrivileges,
           [
             {
               package: 'aws',
@@ -169,12 +144,13 @@ describe('Related Integrations Utilities', () => {
           ]
         );
 
-        expect(integrationDetails[0].target_version).toEqual('1.2.3');
-        expect(integrationDetails[1].target_version).toEqual('1.2.3');
+        expect(integrationDetails[0].targetVersion).toEqual('1.2.3');
+        expect(integrationDetails[1].targetVersion).toEqual('1.2.3');
       });
 
       test('Integration that is installed, and its version is greater than required version', () => {
-        const integrationDetails = getInstalledRelatedIntegrations(
+        const integrationDetails = calculateIntegrationDetails(
+          stubPrivileges,
           [
             {
               package: 'aws',
@@ -204,8 +180,8 @@ describe('Related Integrations Utilities', () => {
           ]
         );
 
-        expect(integrationDetails[0].target_version).toEqual('1.2.3');
-        expect(integrationDetails[1].target_version).toEqual('1.2.3');
+        expect(integrationDetails[0].targetVersion).toEqual('1.2.3');
+        expect(integrationDetails[1].targetVersion).toEqual('1.2.3');
       });
     });
   });

diff --git a/...y_solution/public/detections/components/rules/related_integrations/integration_details.ts b/...y_solution/public/detections/components/rules/related_integrations/integration_details.ts
@@ -0,0 +1,195 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { capitalize } from 'lodash';
+import semver from 'semver';
+import {
+  InstalledIntegration,
+  InstalledIntegrationArray,
+  RelatedIntegration,
+  RelatedIntegrationArray,
+} from '../../../../../common/detection_engine/schemas/common';
+import { IntegrationPrivileges } from './integration_privileges';
+
+export interface IntegrationDetails {
+  packageName: string;
+  integrationName: string | null;
+  integrationTitle: string;
+
+  requiredVersion: string;
+  targetVersion: string;
+  targetUrl: string;
+
+  installationStatus: KnownInstallationStatus | UnknownInstallationStatus;
+}
+
+export interface KnownInstallationStatus {
+  isKnown: true;
+  isInstalled: boolean;
+  isEnabled: boolean;
+  isVersionMismatch: boolean;
+  installedVersion: string;
+}
+
+export interface UnknownInstallationStatus {
+  isKnown: false;
+}
+
+/**
+ * Given an array of integrations and an array of installed integrations this will return an
+ * array of integrations augmented with install details like targetVersion, and `version_satisfied`
+ * has.
+ */
+export const calculateIntegrationDetails = (
+  privileges: IntegrationPrivileges,
+  relatedIntegrations: RelatedIntegrationArray,
+  installedIntegrations: InstalledIntegrationArray | undefined
+): IntegrationDetails[] => {
+  const integrationMatches = findIntegrationMatches(relatedIntegrations, installedIntegrations);
+  const integrationDetails = integrationMatches.map((integration) => {
+    return createIntegrationDetails(integration, privileges);
+  });
+
+  return integrationDetails.sort((a, b) => {
+    return a.integrationTitle.localeCompare(b.integrationTitle);
+  });
+};
+
+interface IntegrationMatch {
+  related: RelatedIntegration;
+  installed: InstalledIntegration | null;
+  isLoaded: boolean;
+}
+
+const findIntegrationMatches = (
+  relatedIntegrations: RelatedIntegrationArray,
+  installedIntegrations: InstalledIntegrationArray | undefined
+): IntegrationMatch[] => {
+  return relatedIntegrations.map((ri: RelatedIntegration) => {
+    if (installedIntegrations == null) {
+      return {
+        related: ri,
+        installed: null,
+        isLoaded: false,
+      };
+    } else {
+      const match = installedIntegrations.find(
+        (ii: InstalledIntegration) =>
+          ii.package_name === ri.package && ii?.integration_name === ri?.integration
+      );
+      return {
+        related: ri,
+        installed: match ?? null,
+        isLoaded: true,
+      };
+    }
+  });
+};
+
+const createIntegrationDetails = (
+  integration: IntegrationMatch,
+  privileges: IntegrationPrivileges
+): IntegrationDetails => {
+  const { related, installed, isLoaded } = integration;
+  const { canReadInstalledIntegrations } = privileges;
+
+  const packageName = related.package;
+  const integrationName = related.integration ?? null;
+  const requiredVersion = related.version;
+
+  // We don't know whether the integration is installed or not.
+  if (!canReadInstalledIntegrations || !isLoaded) {
+    const integrationTitle = getCapitalizedTitle(packageName, integrationName);
+    const targetVersion = getMinimumConcreteVersionMatchingSemver(requiredVersion);
+    const targetUrl = buildTargetUrl(packageName, integrationName, targetVersion);
+
+    return {
+      packageName,
+      integrationName,
+      integrationTitle,
+      requiredVersion,
+      targetVersion,
+      targetUrl,
+      installationStatus: {
+        isKnown: false,
+      },
+    };
+  }
+
+  // We know that the integration is not installed
+  if (installed == null) {
+    const integrationTitle = getCapitalizedTitle(packageName, integrationName);
+    const targetVersion = getMinimumConcreteVersionMatchingSemver(requiredVersion);
+    const targetUrl = buildTargetUrl(packageName, integrationName, targetVersion);
+
+    return {
+      packageName,
+      integrationName,
+      integrationTitle,
+      requiredVersion,
+      targetVersion,
+      targetUrl,
+      installationStatus: {
+        isKnown: true,
+        isInstalled: false,
+        isEnabled: false,
+        isVersionMismatch: false,
+        installedVersion: '',
+      },
+    };
+  }
+
+  // We know that the integration is installed
+  {
+    const integrationTitle = installed.integration_title ?? installed.package_title;
+
+    // Version check e.g. installed version `1.2.3` satisfies required version `~1.2.1`
+    const installedVersion = installed.package_version;
+    const isVersionSatisfied = semver.satisfies(installedVersion, requiredVersion);
+    const targetVersion = isVersionSatisfied
+      ? installedVersion
+      : getMinimumConcreteVersionMatchingSemver(requiredVersion);
+
+    const targetUrl = buildTargetUrl(packageName, integrationName, targetVersion);
+
+    return {
+      packageName,
+      integrationName,
+      integrationTitle,
+      requiredVersion,
+      targetVersion,
+      targetUrl,
+      installationStatus: {
+        isKnown: true,
+        isInstalled: true,
+        isEnabled: installed.is_enabled,
+        isVersionMismatch: !isVersionSatisfied,
+        installedVersion,
+      },
+    };
+  }
+};
+
+const getCapitalizedTitle = (packageName: string, integrationName: string | null): string => {
+  return integrationName == null
+    ? `${capitalize(packageName)}`
+    : `${capitalize(packageName)} ${capitalize(integrationName)}`;
+};
+
+const getMinimumConcreteVersionMatchingSemver = (semverString: string): string => {
+  return semver.valid(semver.coerce(semverString)) ?? '';
+};
+
+const buildTargetUrl = (
+  packageName: string,
+  integrationName: string | null,
+  targetVersion: string
+): string => {
+  const packageSegment = targetVersion ? `${packageName}-${targetVersion}` : packageName;
+  const query = integrationName ? `?integration=${integrationName}` : '';
+  return `app/integrations/detail/${packageSegment}/overview${query}`;
+};
diff --git a/...olution/public/detections/components/rules/related_integrations/integration_privileges.ts b/...olution/public/detections/components/rules/related_integrations/integration_privileges.ts
@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export interface IntegrationPrivileges {
+  canReadInstalledIntegrations: boolean;
+}