[Serverless][Security Solution][Endpoint] Gate endpoint exceptions on rule details and API changes

.github/CODEOWNERS

@@ -1332,6 +1332,7 @@ x-pack/plugins/cloud_integrations/cloud_full_story/server/config.ts @elastic/kib
 /x-pack/test/security_solution_endpoint_api_int/ @elastic/security-defend-workflows
 /x-pack/test_serverless/shared/lib/security/kibana_roles/ @elastic/security-defend-workflows
 /x-pack/plugins/security_solution_serverless/public/upselling/sections/endpoint_management @elastic/security-defend-workflows
+/x-pack/plugins/security_solution_serverless/public/upselling/pages/endpoint_management @elastic/security-defend-workflows
 /x-pack/plugins/security_solution_serverless/server/endpoint @elastic/security-defend-workflows
 
 ## Security Solution sub teams - security-telemetry (Data Engineering)

x-pack/packages/security-solution/upselling/service/types.ts

@@ -14,6 +14,7 @@ export type SectionUpsellings = Partial<Record<UpsellingSectionId, React.Compone
 export type UpsellingSectionId =
   | 'entity_analytics_panel'
   | 'endpointPolicyProtections'
-  | 'osquery_automated_response_actions';
+  | 'osquery_automated_response_actions'
+  | 'ruleDetailsEndpointExceptions';
 
 export type UpsellingMessageId = 'investigation_guide';

x-pack/plugins/fleet/common/authz.test.ts

@@ -10,8 +10,11 @@ import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common';
 import { TRANSFORM_PLUGIN_ID } from './constants/plugin';
 
 import {
+  calculateEndpointExceptionsPrivilegesFromCapabilities,
+  calculateEndpointExceptionsPrivilegesFromKibanaPrivileges,
   calculatePackagePrivilegesFromCapabilities,
   calculatePackagePrivilegesFromKibanaPrivileges,
+  getAuthorizationFromPrivileges,
 } from './authz';
 import { ENDPOINT_PRIVILEGES } from './constants';
 
@@ -74,6 +77,31 @@ describe('fleet authz', () => {
     });
   });
 
+  describe('#calculateEndpointExceptionsPrivilegesFromCapabilities', () => {
+    it('calculates endpoint exceptions privileges correctly', () => {
+      const endpointExceptionsCapabilities = {
+        showEndpointExceptions: false,
+        crudEndpointExceptions: true,
+      };
+
+      const expected = {
+        actions: {
+          showEndpointExceptions: false,
+          crudEndpointExceptions: true,
+        },
+      };
+
+      const actual = calculateEndpointExceptionsPrivilegesFromCapabilities({
+        navLinks: {},
+        management: {},
+        catalogue: {},
+        siem: endpointExceptionsCapabilities,
+      });
+
+      expect(actual).toEqual(expected);
+    });
+  });
+
   describe('calculatePackagePrivilegesFromKibanaPrivileges', () => {
     it('calculates privileges correctly', () => {
       const endpointPrivileges = [
@@ -111,4 +139,86 @@ describe('fleet authz', () => {
       expect(actual).toEqual(expected);
     });
   });
+
+  describe('#calculateEndpointExceptionsPrivilegesFromKibanaPrivileges', () => {
+    it('calculates endpoint exceptions privileges correctly', () => {
+      const endpointExceptionsPrivileges = [
+        { privilege: `${SECURITY_SOLUTION_ID}-showEndpointExceptions`, authorized: true },
+        { privilege: `${SECURITY_SOLUTION_ID}-crudEndpointExceptions`, authorized: false },
+        { privilege: `${SECURITY_SOLUTION_ID}-ignoreMe`, authorized: true },
+      ];
+      const expected = {
+        actions: {
+          showEndpointExceptions: true,
+          crudEndpointExceptions: false,
+        },
+      };
+      const actual = calculateEndpointExceptionsPrivilegesFromKibanaPrivileges(
+        endpointExceptionsPrivileges
+      );
+      expect(actual).toEqual(expected);
+    });
+  });
+
+  describe('#getAuthorizationFromPrivileges', () => {
+    it('returns `false` when no `prefix` nor `searchPrivilege`', () => {
+      expect(
+        getAuthorizationFromPrivileges({
+          kibanaPrivileges: [
+            {
+              privilege: `${SECURITY_SOLUTION_ID}-ignoreMe`,
+              authorized: true,
+            },
+          ],
+        })
+      ).toEqual(false);
+    });
+
+    it('returns correct Boolean when `prefix` and `searchPrivilege` are given', () => {
+      const kibanaPrivileges = [
+        { privilege: `${SECURITY_SOLUTION_ID}-writeHostIsolationExceptions`, authorized: false },
+        { privilege: `${SECURITY_SOLUTION_ID}-writeHostIsolation`, authorized: true },
+        { privilege: `${SECURITY_SOLUTION_ID}-ignoreMe`, authorized: false },
+      ];
+
+      expect(
+        getAuthorizationFromPrivileges({
+          kibanaPrivileges,
+          prefix: `${SECURITY_SOLUTION_ID}-`,
+          searchPrivilege: `writeHostIsolation`,
+        })
+      ).toEqual(true);
+    });
+
+    it('returns correct Boolean when only `prefix` is given', () => {
+      const kibanaPrivileges = [
+        { privilege: `ignore-me-writeHostIsolationExceptions`, authorized: false },
+        { privilege: `${SECURITY_SOLUTION_ID}-writeHostIsolation`, authorized: true },
+        { privilege: `${SECURITY_SOLUTION_ID}-ignoreMe`, authorized: false },
+      ];
+
+      expect(
+        getAuthorizationFromPrivileges({
+          kibanaPrivileges,
+          prefix: `${SECURITY_SOLUTION_ID}-`,
+          searchPrivilege: `writeHostIsolation`,
+        })
+      ).toEqual(true);
+    });
+
+    it('returns correct Boolean when only `searchPrivilege` is given', () => {
+      const kibanaPrivileges = [
+        { privilege: `${SECURITY_SOLUTION_ID}-writeHostIsolationExceptions`, authorized: false },
+        { privilege: `${SECURITY_SOLUTION_ID}-writeHostIsolation`, authorized: true },
+        { privilege: `${SECURITY_SOLUTION_ID}-ignoreMe`, authorized: false },
+      ];
+
+      expect(
+        getAuthorizationFromPrivileges({
+          kibanaPrivileges,
+          searchPrivilege: `writeHostIsolation`,
+        })
+      ).toEqual(true);
+    });
+  });
 });

x-pack/plugins/fleet/common/authz.ts

@@ -9,7 +9,7 @@ import type { Capabilities } from '@kbn/core-capabilities-common';
 
 import { TRANSFORM_PLUGIN_ID } from './constants/plugin';
 
-import { ENDPOINT_PRIVILEGES } from './constants';
+import { ENDPOINT_EXCEPTIONS_PRIVILEGES, ENDPOINT_PRIVILEGES } from './constants';
 
 export type TransformPrivilege =
   | 'canGetTransform'
@@ -49,6 +49,13 @@ export interface FleetAuthz {
       };
     };
   };
+
+  endpointExceptionsPrivileges?: {
+    actions: {
+      crudEndpointExceptions: boolean;
+      showEndpointExceptions: boolean;
+    };
+  };
 }
 
 interface CalculateParams {
@@ -135,19 +142,53 @@ export function calculatePackagePrivilegesFromCapabilities(
   };
 }
 
-function getAuthorizationFromPrivileges(
+export function calculateEndpointExceptionsPrivilegesFromCapabilities(
+  capabilities: Capabilities | undefined
+): FleetAuthz['endpointExceptionsPrivileges'] {
+  if (!capabilities) {
+    return;
+  }
+
+  const endpointExceptionsActions = Object.keys(capabilities.siem).reduce<Record<string, boolean>>(
+    (acc, privilegeName) => {
+      if (Object.keys(ENDPOINT_EXCEPTIONS_PRIVILEGES).includes(privilegeName)) {
+        acc[privilegeName] = (capabilities.siem[privilegeName] as boolean) || false;
+      }
+      return acc;
+    },
+    {}
+  );
+
+  return {
+    actions: endpointExceptionsActions,
+  } as FleetAuthz['endpointExceptionsPrivileges'];
+}
+
+export function getAuthorizationFromPrivileges({
+  kibanaPrivileges,
+  searchPrivilege = '',
+  prefix = '',
+}: {
   kibanaPrivileges: Array<{
     resource?: string;
     privilege: string;
     authorized: boolean;
-  }>,
-  prefix: string,
-  searchPrivilege: string
-): boolean {
-  const privilege = kibanaPrivileges.find((p) =>
-    p.privilege.endsWith(`${prefix}${searchPrivilege}`)
-  );
-  return privilege?.authorized || false;
+  }>;
+  prefix?: string;
+  searchPrivilege?: string;
+}): boolean {
+  const privilege = kibanaPrivileges.find((p) => {
+    if (prefix.length && searchPrivilege.length) {
+      return p.privilege.endsWith(`${prefix}${searchPrivilege}`);
+    } else if (prefix.length) {
+      return p.privilege.endsWith(`${prefix}`);
+    } else if (searchPrivilege.length) {
+      return p.privilege.endsWith(`${searchPrivilege}`);
+    }
+    return false;
+  });
+
+  return !!privilege?.authorized;
 }
 
 export function calculatePackagePrivilegesFromKibanaPrivileges(
@@ -165,11 +206,11 @@ export function calculatePackagePrivilegesFromKibanaPrivileges(
 
   const endpointActions = Object.entries(ENDPOINT_PRIVILEGES).reduce<PrivilegeMap>(
     (acc, [privilege, { appId, privilegeSplit, privilegeName }]) => {
-      const kibanaPrivilege = getAuthorizationFromPrivileges(
+      const kibanaPrivilege = getAuthorizationFromPrivileges({
         kibanaPrivileges,
-        `${appId}${privilegeSplit}`,
-        privilegeName
-      );
+        prefix: `${appId}${privilegeSplit}`,
+        searchPrivilege: privilegeName,
+      });
       acc[privilege] = {
         executePackageAction: kibanaPrivilege,
       };
@@ -178,11 +219,11 @@ export function calculatePackagePrivilegesFromKibanaPrivileges(
     {}
   );
 
-  const hasTransformAdmin = getAuthorizationFromPrivileges(
+  const hasTransformAdmin = getAuthorizationFromPrivileges({
     kibanaPrivileges,
-    `${TRANSFORM_PLUGIN_ID}-`,
-    `admin`
-  );
+    prefix: `${TRANSFORM_PLUGIN_ID}-`,
+    searchPrivilege: `admin`,
+  });
   const transformActions: {
     [key in TransformPrivilege]: {
       executePackageAction: boolean;
@@ -198,11 +239,11 @@ export function calculatePackagePrivilegesFromKibanaPrivileges(
       executePackageAction: hasTransformAdmin,
     },
     canGetTransform: {
-      executePackageAction: getAuthorizationFromPrivileges(
+      executePackageAction: getAuthorizationFromPrivileges({
         kibanaPrivileges,
-        `${TRANSFORM_PLUGIN_ID}-`,
-        `read`
-      ),
+        prefix: `${TRANSFORM_PLUGIN_ID}-`,
+        searchPrivilege: `read`,
+      }),
     },
   };
 
@@ -215,3 +256,28 @@ export function calculatePackagePrivilegesFromKibanaPrivileges(
     },
   };
 }
+
+export function calculateEndpointExceptionsPrivilegesFromKibanaPrivileges(
+  kibanaPrivileges:
+    | Array<{
+        resource?: string;
+        privilege: string;
+        authorized: boolean;
+      }>
+    | undefined
+): FleetAuthz['endpointExceptionsPrivileges'] {
+  if (!kibanaPrivileges || !kibanaPrivileges.length) {
+    return;
+  }
+  const endpointExceptionsActions = Object.entries(ENDPOINT_EXCEPTIONS_PRIVILEGES).reduce<
+    Record<string, boolean>
+  >((acc, [privilege, { appId, privilegeSplit, privilegeName }]) => {
+    acc[privilege] = getAuthorizationFromPrivileges({
+      kibanaPrivileges,
+      searchPrivilege: privilegeName,
+    });
+    return acc;
+  }, {});
+
+  return { actions: endpointExceptionsActions } as FleetAuthz['endpointExceptionsPrivileges'];
+}

x-pack/plugins/fleet/common/constants/authz.ts

@@ -10,7 +10,7 @@ import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common';
 
 const SECURITY_SOLUTION_APP_ID = 'siem';
 
-interface PrivilegeMapObject {
+export interface PrivilegeMapObject {
   appId: string;
   privilegeSplit: string;
   privilegeType: 'ui' | 'api';
@@ -163,3 +163,18 @@ export const ENDPOINT_PRIVILEGES: Record<string, PrivilegeMapObject> = deepFreez
     privilegeName: 'writeExecuteOperations',
   },
 });
+
+export const ENDPOINT_EXCEPTIONS_PRIVILEGES: Record<string, PrivilegeMapObject> = deepFreeze({
+  showEndpointExceptions: {
+    appId: DEFAULT_APP_CATEGORIES.security.id,
+    privilegeSplit: '-',
+    privilegeType: 'api',
+    privilegeName: 'showEndpointExceptions',
+  },
+  crudEndpointExceptions: {
+    appId: DEFAULT_APP_CATEGORIES.security.id,
+    privilegeSplit: '-',
+    privilegeType: 'api',
+    privilegeName: 'crudEndpointExceptions',
+  },
+});

x-pack/plugins/fleet/common/mocks.ts

@@ -6,10 +6,10 @@
  */
 
 import type {
-  PostDeletePackagePoliciesResponse,
+  AgentPolicy,
   NewPackagePolicy,
   PackagePolicy,
-  AgentPolicy,
+  PostDeletePackagePoliciesResponse,
 } from './types';
 import type { FleetAuthz } from './authz';
 import { dataTypes, ENDPOINT_PRIVILEGES } from './constants';
@@ -108,6 +108,12 @@ export const createFleetAuthzMock = (): FleetAuthz => {
         },
       },
     },
+    endpointExceptionsPrivileges: {
+      actions: {
+        showEndpointExceptions: true,
+        crudEndpointExceptions: true,
+      },
+    },
   };
 };