elastic · jonathan-buttner · Aug 2, 2022 · Jul 27, 2022 · Jul 27, 2022 · Jul 28, 2022
@@ -12,3 +12,4 @@ export * from './status';
 export * from './user_actions';
 export * from './constants';
 export * from './alerts';
+export * from './suggest_user_profiles';
diff --git a/x-pack/plugins/cases/common/api/cases/suggest_user_profiles.ts b/x-pack/plugins/cases/common/api/cases/suggest_user_profiles.ts
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as rt from 'io-ts';
+
+export const SuggestUserProfilesRequestRt = rt.intersection([
+  rt.type({
+    name: rt.string,
+    owners: rt.array(rt.string),
+  }),
+  rt.partial({ size: rt.number }),
+]);
+
+export type SuggestUserProfilesRequest = rt.TypeOf<typeof SuggestUserProfilesRequestRt>;
@@ -78,6 +78,8 @@ export const CASE_METRICS_DETAILS_URL = `${CASES_URL}/metrics/{case_id}` as cons
 export const CASES_INTERNAL_URL = '/internal/cases' as const;
 export const INTERNAL_BULK_CREATE_ATTACHMENTS_URL =
   `${CASES_INTERNAL_URL}/{case_id}/attachments/_bulk_create` as const;
+export const INTERNAL_SUGGEST_USER_PROFILES_URL =
+  `${CASES_INTERNAL_URL}/_suggest_user_profiles` as const;
 
 /**
  * Action routes

@@ -38,6 +38,7 @@ export const getCasesKibanaFeature = (): KibanaFeatureConfig => {
     cases: [APP_ID],
     privileges: {
       all: {
+        api: ['casesSuggestAssignees'],
         cases: {
           create: [APP_ID],
           read: [APP_ID],

@@ -51,6 +51,7 @@ import { createCasesTelemetry, scheduleCasesTelemetryTask } from './telemetry';
 import { getInternalRoutes } from './routes/api/get_internal_routes';
 import { PersistableStateAttachmentTypeRegistry } from './attachment_framework/persistable_state_registry';
 import { ExternalReferenceAttachmentTypeRegistry } from './attachment_framework/external_reference_registry';
+import { UserProfileService } from './services';
 
 export interface PluginsSetup {
   actions: ActionsPluginSetup;
@@ -77,13 +78,15 @@ export class CasePlugin {
   private lensEmbeddableFactory?: LensServerPluginSetup['lensEmbeddableFactory'];
   private persistableStateAttachmentTypeRegistry: PersistableStateAttachmentTypeRegistry;
   private externalReferenceAttachmentTypeRegistry: ExternalReferenceAttachmentTypeRegistry;
+  private userProfileService: UserProfileService;
 
   constructor(private readonly initializerContext: PluginInitializerContext) {
     this.kibanaVersion = initializerContext.env.packageInfo.version;
     this.logger = this.initializerContext.logger.get();
     this.clientFactory = new CasesClientFactory(this.logger);
     this.persistableStateAttachmentTypeRegistry = new PersistableStateAttachmentTypeRegistry();
     this.externalReferenceAttachmentTypeRegistry = new ExternalReferenceAttachmentTypeRegistry();
+    this.userProfileService = new UserProfileService(this.logger);
   }
 
   public setup(core: CoreSetup, plugins: PluginsSetup): PluginSetupContract {
@@ -138,7 +141,7 @@ export class CasePlugin {
 
     registerRoutes({
       router,
-      routes: [...getExternalRoutes(), ...getInternalRoutes()],
+      routes: [...getExternalRoutes(), ...getInternalRoutes(this.userProfileService)],
       logger: this.logger,
       kibanaVersion: this.kibanaVersion,
       telemetryUsageCounter,
@@ -163,6 +166,12 @@ export class CasePlugin {
       scheduleCasesTelemetryTask(plugins.taskManager, this.logger);
     }
 
+    this.userProfileService.initialize({
+      spaces: plugins.spaces,
+      securityPluginSetup: this.securityPluginSetup,
+      securityPluginStart: plugins.security,
+    });
+
     this.clientFactory.initialize({
       securityPluginSetup: this.securityPluginSetup,
       securityPluginStart: plugins.security,

@@ -5,7 +5,10 @@
  * 2.0.
  */
 
+import { UserProfileService } from '../../services';
 import { bulkCreateAttachmentsRoute } from './internal/bulk_create_attachments';
+import { suggestUserProfilesRoute } from './internal/suggest_user_profiles';
 import { CaseRoute } from './types';
 
-export const getInternalRoutes = () => [bulkCreateAttachmentsRoute] as CaseRoute[];
+export const getInternalRoutes = (userProfileService: UserProfileService) =>
+  [bulkCreateAttachmentsRoute, suggestUserProfilesRoute(userProfileService)] as CaseRoute[];
@@ -0,0 +1,36 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { UserProfileService } from '../../../services';
+import { INTERNAL_SUGGEST_USER_PROFILES_URL } from '../../../../common/constants';
+import { createCaseError } from '../../../common/error';
+import { createCasesRoute } from '../create_cases_route';
+import { escapeHatch } from '../utils';
+
+export const suggestUserProfilesRoute = (userProfileService: UserProfileService) =>
+  createCasesRoute({
+    method: 'post',
+    path: INTERNAL_SUGGEST_USER_PROFILES_URL,
+    routerOptions: {
+      tags: ['access:casesSuggestAssignees'],
+    },
+    params: {
+      body: escapeHatch,
+    },
+    handler: async ({ request, response }) => {
+      try {
+        return response.ok({
+          body: await userProfileService.suggest(request),
+        });
+      } catch (error) {
+        throw createCaseError({
+          message: `Failed to find user profiles: ${error}`,
+          error,
+        });
+      }
+    },
+  });
@@ -74,11 +74,12 @@ export const registerRoutes = (deps: RegisterRoutesDeps) => {
   const { router, routes, logger, kibanaVersion, telemetryUsageCounter } = deps;
 
   routes.forEach((route) => {
-    const { method, path, params, options, handler } = route;
+    const { method, path, params, options, routerOptions, handler } = route;
 
     (router[method] as RouteRegistrar<typeof method, CasesRequestHandlerContext>)(
       {
         path,
+        options: routerOptions,
         validate: {
           params: params?.params ?? escapeHatch,
           query: params?.query ?? escapeHatch,

@@ -40,10 +40,19 @@ interface CaseRouteHandlerArguments<P, Q, B> {
   kibanaVersion: PluginInitializerContext['env']['packageInfo']['version'];
 }
 
+type CaseRouteTags = 'access:casesSuggestAssignees';
+
 export interface CaseRoute<P = unknown, Q = unknown, B = unknown> {
   method: 'get' | 'post' | 'put' | 'delete' | 'patch';
   path: string;
   params?: RouteValidatorConfig<P, Q, B>;
+  /**
+   * These options control pre-route execution behavior
+   */
   options?: { deprecated?: boolean };
+  /**
+   * These options are passed to the router's options field
+   */
+  routerOptions?: { tags: CaseRouteTags[] };
   handler: (args: CaseRouteHandlerArguments<P, Q, B>) => Promise<IKibanaResponse>;
 }
@@ -14,6 +14,7 @@ export { CaseUserActionService } from './user_actions';
 export { ConnectorMappingsService } from './connector_mappings';
 export { AlertService } from './alerts';
 export { AttachmentService } from './attachments';
+export { UserProfileService } from './user_profiles';
 
 export interface ClientArgs {
   unsecuredSavedObjectsClient: SavedObjectsClientContract;

@@ -0,0 +1,117 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import Boom from '@hapi/boom';
+import { pipe } from 'fp-ts/lib/pipeable';
+import { fold } from 'fp-ts/lib/Either';
+import { identity } from 'fp-ts/lib/function';
+
+import { KibanaRequest, Logger } from '@kbn/core/server';
+import {
+  SecurityPluginSetup,
+  SecurityPluginStart,
+  UserProfileServiceStart,
+} from '@kbn/security-plugin/server';
+import { SpacesPluginStart } from '@kbn/spaces-plugin/server';
+
+import { excess, SuggestUserProfilesRequestRt, throwErrors } from '../../../common/api';
+import { Operations } from '../../authorization';
+import { createCaseError } from '../../common/error';
+
+interface UserProfileOptions {
+  securityPluginSetup?: SecurityPluginSetup;
+  securityPluginStart?: SecurityPluginStart;
+  spaces: SpacesPluginStart;
+}
+
+export class UserProfileService {
+  private options?: UserProfileOptions;
+
+  constructor(private readonly logger: Logger) {}
+
+  public initialize(options: UserProfileOptions) {
+    if (this.options !== undefined) {
+      throw new Error('UserProfileService was already initialized');
+    }
+
+    this.options = options;
+  }
+
+  public async suggest(request: KibanaRequest): ReturnType<UserProfileServiceStart['suggest']> {
-  public async suggest(request: KibanaRequest): ReturnType<UserProfileServiceStart['suggest']> {
+  public async suggest(request: KibanaRequest): Promise<UserProfile[]> {
-  public async suggest(request: KibanaRequest): ReturnType<UserProfileServiceStart['suggest']> {
+  public async suggest(request: KibanaRequest): Promise<UserProfile[]> {
+    const params = pipe(
+      excess(SuggestUserProfilesRequestRt).decode(request.body),
+      fold(throwErrors(Boom.badRequest), identity)
+    );
+
+    const { name, size, owners } = params;
+
+    try {
+      if (this.options === undefined) {
+        throw new Error('UserProfileService must be initialized before calling suggest');
+      }
+
+      const { spaces } = this.options;
+
+      const securityPluginFields = {
+        securityPluginSetup: this.options.securityPluginSetup,
+        securityPluginStart: this.options.securityPluginStart,
+      };
+
+      if (!UserProfileService.isSecurityEnabled(securityPluginFields)) {
+        return [];
+      }
+
+      const { securityPluginStart } = securityPluginFields;
+
+      return securityPluginStart.userProfiles.suggest({
+        name,
+        size,
+        dataPath: 'avatar',
+        requiredPrivileges: {
+          spaceId: spaces.spacesService.getSpaceId(request),
+          privileges: {
+            kibana: UserProfileService.buildRequiredPrivileges(owners, securityPluginStart),
+          },
+        },
+      });
+    } catch (error) {
+      throw createCaseError({
+        logger: this.logger,
+        message: `Failed to retrieve suggested user profiles in service for name: ${name} owners: [${owners.join(
+          ','
+        )}]`,
-        message: `Failed to retrieve suggested user profiles in service for name: ${name} owners: [${owners.join(
-          ','
-        )}]`,
+        message: `Failed to retrieve suggested user profiles in service for name: ${name} owners: [${owners}]`,
-        message: `Failed to retrieve suggested user profiles in service for name: ${name} owners: [${owners.join(
-          ','
-        )}]`,
+        message: `Failed to retrieve suggested user profiles in service for name: ${name} owners: [${owners}]`,
+      });
+    }
+  }
+
+  private static isSecurityEnabled(fields: {
+    securityPluginSetup?: SecurityPluginSetup;
+    securityPluginStart?: SecurityPluginStart;
+  }): fields is {
+    securityPluginSetup: SecurityPluginSetup;
+    securityPluginStart: SecurityPluginStart;
+  } {
+    const { securityPluginSetup, securityPluginStart } = fields;
+
+    return (
+      securityPluginStart !== undefined &&
+      securityPluginSetup !== undefined &&
+      securityPluginSetup.license.isEnabled()
+    );
+  }
+
+  private static buildRequiredPrivileges(owners: string[], security: SecurityPluginStart) {
+    const privileges: string[] = [];
+    for (const owner of owners) {
+      for (const operation of [Operations.updateCase.name, Operations.getCase.name]) {
+        privileges.push(security.authz.actions.cases.get(owner, operation));
+      }
+    }
+
+    return privileges;
+  }
+}
diff --git a/x-pack/plugins/observability/server/plugin.ts b/x-pack/plugins/observability/server/plugin.ts
@@ -55,6 +55,7 @@ export class ObservabilityPlugin implements Plugin<ObservabilityPluginSetup> {
       cases: [observabilityFeatureId],
       privileges: {
         all: {
+          api: ['casesSuggestAssignees'],
           app: [casesFeatureId, 'kibana'],
           catalogue: [observabilityFeatureId],
           cases: {
@@ -63,7 +64,6 @@ export class ObservabilityPlugin implements Plugin<ObservabilityPluginSetup> {
             update: [observabilityFeatureId],
             push: [observabilityFeatureId],
           },
-          api: [],
           savedObject: {
             all: [],
             read: [],
@@ -76,7 +76,6 @@ export class ObservabilityPlugin implements Plugin<ObservabilityPluginSetup> {
           cases: {
             read: [observabilityFeatureId],
           },
-          api: [],
           savedObject: {
             all: [],
             read: [],

diff --git a/x-pack/plugins/security_solution/server/features.ts b/x-pack/plugins/security_solution/server/features.ts
@@ -29,6 +29,7 @@ export const getCasesKibanaFeature = (): KibanaFeatureConfig => {
     cases: [APP_ID],
     privileges: {
       all: {
+        api: ['casesSuggestAssignees'],
         app: [CASES_FEATURE_ID, 'kibana'],
         catalogue: [APP_ID],
         cases: {
@@ -37,7 +38,6 @@ export const getCasesKibanaFeature = (): KibanaFeatureConfig => {
           update: [APP_ID],
           push: [APP_ID],
         },
-        api: [],
         savedObject: {
           all: [],
           read: [],
@@ -50,7 +50,6 @@ export const getCasesKibanaFeature = (): KibanaFeatureConfig => {
         cases: {
           read: [APP_ID],
         },
-        api: [],
         savedObject: {
           all: [],
           read: [],

@@ -31,6 +31,7 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
       cases: ['observabilityFixture'],
       privileges: {
         all: {
+          api: ['casesSuggestAssignees'],
           app: ['kibana'],
           cases: {
             all: ['observabilityFixture'],

@@ -32,6 +32,7 @@ export class FixturePlugin implements Plugin<void, void, FixtureSetupDeps, Fixtu
       cases: ['securitySolutionFixture'],
       privileges: {
         all: {
+          api: ['casesSuggestAssignees'],
           app: ['kibana'],
           cases: {
             create: ['securitySolutionFixture'],

@@ -21,6 +21,29 @@ export const noKibanaPrivileges: Role = {
   },
 };
 
+export const noCasesPrivilegesSpace1: Role = {
+  name: 'no_kibana_privileges',
+  privileges: {
+    elasticsearch: {
+      indices: [
+        {
+          names: ['*'],
+          privileges: ['all'],
+        },
+      ],
+    },
+    kibana: [
+      {
+        feature: {
+          actions: ['read'],
+          actionsSimulators: ['read'],
+        },
+        spaces: ['space1'],
+      },
+    ],
+  },
+};
+
 export const globalRead: Role = {
   name: 'global_read',
   privileges: {
@@ -217,6 +240,7 @@ export const observabilityOnlyRead: Role = {
 
 export const roles = [
   noKibanaPrivileges,
+  noCasesPrivilegesSpace1,
   globalRead,
   securitySolutionOnlyAll,
   securitySolutionOnlyRead,